Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
noode.exe

Overview

General Information

Sample name:noode.exe
Analysis ID:1524236
MD5:8d369c7a83bea4727ab814c6e09ea24e
SHA1:918e3271610b1e2fb46e2e18b1f9f4ca3aa60d83
SHA256:36024fb876d8059740b825f25de708368a223bbbacf02d73d003d4e4eeb88657
Tags:exeuser-aachum
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
PE file has a writeable .text section
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • noode.exe (PID: 6572 cmdline: "C:\Users\user\Desktop\noode.exe" MD5: 8D369C7A83BEA4727AB814C6E09EA24E)
    • noode.tmp (PID: 6588 cmdline: "C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp" /SL5="$103E8,7753864,54272,C:\Users\user\Desktop\noode.exe" MD5: 16C9D19AB32C18671706CEFEE19B6949)
      • zextervideocodec32.exe (PID: 6700 cmdline: "C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe" -i MD5: C84C1723350D751DF4CA78CC230B5EA7)
  • svchost.exe (PID: 6820 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["ejmbiem.ua"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
    00000003.00000002.3607247609.0000000002C3C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
      Process Memory Space: zextervideocodec32.exe PID: 6700JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 6820, ProcessName: svchost.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-02T17:21:55.285352+020020494671A Network Trojan was detected192.168.2.1249720185.208.158.24880TCP
        2024-10-02T17:21:56.125364+020020494671A Network Trojan was detected192.168.2.1249721185.208.158.24880TCP
        2024-10-02T17:21:56.932996+020020494671A Network Trojan was detected192.168.2.1249722185.208.158.24880TCP
        2024-10-02T17:21:57.287370+020020494671A Network Trojan was detected192.168.2.1249722185.208.158.24880TCP
        2024-10-02T17:21:58.138415+020020494671A Network Trojan was detected192.168.2.1249723185.208.158.24880TCP
        2024-10-02T17:21:58.944353+020020494671A Network Trojan was detected192.168.2.1249724185.208.158.24880TCP
        2024-10-02T17:21:59.770625+020020494671A Network Trojan was detected192.168.2.1249725185.208.158.24880TCP
        2024-10-02T17:22:00.605057+020020494671A Network Trojan was detected192.168.2.1249726185.208.158.24880TCP
        2024-10-02T17:22:01.427192+020020494671A Network Trojan was detected192.168.2.1249727185.208.158.24880TCP
        2024-10-02T17:22:02.481291+020020494671A Network Trojan was detected192.168.2.1249728185.208.158.24880TCP
        2024-10-02T17:22:02.831837+020020494671A Network Trojan was detected192.168.2.1249728185.208.158.24880TCP
        2024-10-02T17:22:03.671640+020020494671A Network Trojan was detected192.168.2.1249729185.208.158.24880TCP
        2024-10-02T17:22:04.527040+020020494671A Network Trojan was detected192.168.2.1249730185.208.158.24880TCP
        2024-10-02T17:22:05.364360+020020494671A Network Trojan was detected192.168.2.1249731185.208.158.24880TCP
        2024-10-02T17:22:06.205245+020020494671A Network Trojan was detected192.168.2.1249732185.208.158.24880TCP
        2024-10-02T17:22:07.021817+020020494671A Network Trojan was detected192.168.2.1249733185.208.158.24880TCP
        2024-10-02T17:22:07.871340+020020494671A Network Trojan was detected192.168.2.1249734185.208.158.24880TCP
        2024-10-02T17:22:08.692805+020020494671A Network Trojan was detected192.168.2.1249735185.208.158.24880TCP
        2024-10-02T17:22:09.507246+020020494671A Network Trojan was detected192.168.2.1249736185.208.158.24880TCP
        2024-10-02T17:22:10.370373+020020494671A Network Trojan was detected192.168.2.1249737185.208.158.24880TCP
        2024-10-02T17:22:10.728734+020020494671A Network Trojan was detected192.168.2.1249737185.208.158.24880TCP
        2024-10-02T17:22:11.085726+020020494671A Network Trojan was detected192.168.2.1249737185.208.158.24880TCP
        2024-10-02T17:22:11.923119+020020494671A Network Trojan was detected192.168.2.1249738185.208.158.24880TCP
        2024-10-02T17:22:12.974136+020020494671A Network Trojan was detected192.168.2.1249739185.208.158.24880TCP
        2024-10-02T17:22:13.781574+020020494671A Network Trojan was detected192.168.2.1249740185.208.158.24880TCP
        2024-10-02T17:22:14.812518+020020494671A Network Trojan was detected192.168.2.1249741185.208.158.24880TCP
        2024-10-02T17:22:15.656583+020020494671A Network Trojan was detected192.168.2.1249743185.208.158.24880TCP
        2024-10-02T17:22:16.501887+020020494671A Network Trojan was detected192.168.2.1249744185.208.158.24880TCP
        2024-10-02T17:22:17.466818+020020494671A Network Trojan was detected192.168.2.1249745185.208.158.24880TCP
        2024-10-02T17:22:18.323363+020020494671A Network Trojan was detected192.168.2.1249746185.208.158.24880TCP
        2024-10-02T17:22:18.673759+020020494671A Network Trojan was detected192.168.2.1249746185.208.158.24880TCP
        2024-10-02T17:22:19.525177+020020494671A Network Trojan was detected192.168.2.1249747185.208.158.24880TCP
        2024-10-02T17:22:20.385107+020020494671A Network Trojan was detected192.168.2.1249748185.208.158.24880TCP
        2024-10-02T17:22:20.735908+020020494671A Network Trojan was detected192.168.2.1249748185.208.158.24880TCP
        2024-10-02T17:22:21.565453+020020494671A Network Trojan was detected192.168.2.1249749185.208.158.24880TCP
        2024-10-02T17:22:22.422149+020020494671A Network Trojan was detected192.168.2.1249750185.208.158.24880TCP
        2024-10-02T17:22:23.255503+020020494671A Network Trojan was detected192.168.2.1249751185.208.158.24880TCP
        2024-10-02T17:22:24.066322+020020494671A Network Trojan was detected192.168.2.1249752185.208.158.24880TCP
        2024-10-02T17:22:25.108590+020020494671A Network Trojan was detected192.168.2.1249753185.208.158.24880TCP
        2024-10-02T17:22:25.964085+020020494671A Network Trojan was detected192.168.2.1249754185.208.158.24880TCP
        2024-10-02T17:22:26.322625+020020494671A Network Trojan was detected192.168.2.1249754185.208.158.24880TCP
        2024-10-02T17:22:26.675634+020020494671A Network Trojan was detected192.168.2.1249754185.208.158.24880TCP
        2024-10-02T17:22:27.557410+020020494671A Network Trojan was detected192.168.2.1249755185.208.158.24880TCP
        2024-10-02T17:22:28.406612+020020494671A Network Trojan was detected192.168.2.1249756185.208.158.24880TCP
        2024-10-02T17:22:29.259310+020020494671A Network Trojan was detected192.168.2.1249757185.208.158.24880TCP
        2024-10-02T17:22:30.080552+020020494671A Network Trojan was detected192.168.2.1249758185.208.158.24880TCP
        2024-10-02T17:22:30.924484+020020494671A Network Trojan was detected192.168.2.1249759185.208.158.24880TCP
        2024-10-02T17:22:31.736728+020020494671A Network Trojan was detected192.168.2.1249760185.208.158.24880TCP
        2024-10-02T17:22:32.587248+020020494671A Network Trojan was detected192.168.2.1249761185.208.158.24880TCP
        2024-10-02T17:22:33.407992+020020494671A Network Trojan was detected192.168.2.1249762185.208.158.24880TCP
        2024-10-02T17:22:34.237696+020020494671A Network Trojan was detected192.168.2.1249763185.208.158.24880TCP
        2024-10-02T17:22:35.061508+020020494671A Network Trojan was detected192.168.2.1249764185.208.158.24880TCP
        2024-10-02T17:22:35.412954+020020494671A Network Trojan was detected192.168.2.1249764185.208.158.24880TCP
        2024-10-02T17:22:36.270048+020020494671A Network Trojan was detected192.168.2.1249765185.208.158.24880TCP
        2024-10-02T17:22:37.079194+020020494671A Network Trojan was detected192.168.2.1249766185.208.158.24880TCP
        2024-10-02T17:22:37.891318+020020494671A Network Trojan was detected192.168.2.1249767185.208.158.24880TCP
        2024-10-02T17:22:38.711865+020020494671A Network Trojan was detected192.168.2.1249768185.208.158.24880TCP
        2024-10-02T17:22:39.520385+020020494671A Network Trojan was detected192.168.2.1249769185.208.158.24880TCP
        2024-10-02T17:22:40.347580+020020494671A Network Trojan was detected192.168.2.1249770185.208.158.24880TCP
        2024-10-02T17:22:41.166030+020020494671A Network Trojan was detected192.168.2.1249771185.208.158.24880TCP
        2024-10-02T17:22:41.517925+020020494671A Network Trojan was detected192.168.2.1249771185.208.158.24880TCP
        2024-10-02T17:22:42.477751+020020494671A Network Trojan was detected192.168.2.1249772185.208.158.24880TCP
        2024-10-02T17:22:43.334610+020020494671A Network Trojan was detected192.168.2.1249773185.208.158.24880TCP
        2024-10-02T17:22:44.142875+020020494671A Network Trojan was detected192.168.2.1249774185.208.158.24880TCP
        2024-10-02T17:22:44.956588+020020494671A Network Trojan was detected192.168.2.1249775185.208.158.24880TCP
        2024-10-02T17:22:45.780082+020020494671A Network Trojan was detected192.168.2.1249776185.208.158.24880TCP
        2024-10-02T17:22:46.137153+020020494671A Network Trojan was detected192.168.2.1249776185.208.158.24880TCP
        2024-10-02T17:22:46.976080+020020494671A Network Trojan was detected192.168.2.1249777185.208.158.24880TCP
        2024-10-02T17:22:47.786807+020020494671A Network Trojan was detected192.168.2.1249778185.208.158.24880TCP
        2024-10-02T17:22:48.602361+020020494671A Network Trojan was detected192.168.2.1249779185.208.158.24880TCP
        2024-10-02T17:22:49.423984+020020494671A Network Trojan was detected192.168.2.1249780185.208.158.24880TCP
        2024-10-02T17:22:50.250720+020020494671A Network Trojan was detected192.168.2.1249781185.208.158.24880TCP
        2024-10-02T17:22:51.058937+020020494671A Network Trojan was detected192.168.2.1249782185.208.158.24880TCP
        2024-10-02T17:22:51.896721+020020494671A Network Trojan was detected192.168.2.1249783185.208.158.24880TCP
        2024-10-02T17:22:52.732833+020020494671A Network Trojan was detected192.168.2.1249784185.208.158.24880TCP
        2024-10-02T17:22:53.082067+020020494671A Network Trojan was detected192.168.2.1249784185.208.158.24880TCP
        2024-10-02T17:22:53.904413+020020494671A Network Trojan was detected192.168.2.1249785185.208.158.24880TCP
        2024-10-02T17:22:54.736887+020020494671A Network Trojan was detected192.168.2.1249786185.208.158.24880TCP
        2024-10-02T17:22:55.567627+020020494671A Network Trojan was detected192.168.2.1249787185.208.158.24880TCP
        2024-10-02T17:22:56.374783+020020494671A Network Trojan was detected192.168.2.1249788185.208.158.24880TCP
        2024-10-02T17:22:57.210566+020020494671A Network Trojan was detected192.168.2.1249789185.208.158.24880TCP
        2024-10-02T17:22:58.056379+020020494671A Network Trojan was detected192.168.2.1249790185.208.158.24880TCP
        2024-10-02T17:22:58.878051+020020494671A Network Trojan was detected192.168.2.1249791185.208.158.24880TCP
        2024-10-02T17:22:59.691285+020020494671A Network Trojan was detected192.168.2.1249792185.208.158.24880TCP
        2024-10-02T17:23:00.518928+020020494671A Network Trojan was detected192.168.2.1249793185.208.158.24880TCP
        2024-10-02T17:23:01.940821+020020494671A Network Trojan was detected192.168.2.1249794185.208.158.24880TCP
        2024-10-02T17:23:02.775416+020020494671A Network Trojan was detected192.168.2.1249796185.208.158.24880TCP
        2024-10-02T17:23:03.621208+020020494671A Network Trojan was detected192.168.2.1249797185.208.158.24880TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: zextervideocodec32.exe.6700.3.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["ejmbiem.ua"]}
        Multi AV Scanner detection for submitted file
        Source: noode.exeReversingLabs: Detection: 15%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for dropped file
        Source: C:\ProgramData\EMAIL Safe Storage 10.2.45\EMAIL Safe Storage 10.2.45.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0045D4EC GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045D4EC
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0045D5A0 ArcFourCrypt,1_2_0045D5A0
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0045D5B8 ArcFourCrypt,1_2_0045D5B8
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeUnpacked PE file: 3.2.zextervideocodec32.exe.400000.0.unpack
        Source: noode.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zexter Video Codec_is1Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00452A4C FindFirstFileA,GetLastError,1_2_00452A4C
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004751F8 FindFirstFileA,FindNextFileA,FindClose,1_2_004751F8
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00464048 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464048
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004644C4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_004644C4
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00462ABC FindFirstFileA,FindNextFileA,FindClose,1_2_00462ABC
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00497A74 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00497A74

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49729 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49733 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49792 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49778 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49757 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49739 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49734 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49736 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49735 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49789 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49723 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49755 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49772 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49763 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49741 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49775 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49746 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49779 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49776 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49749 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49728 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49740 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49773 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49771 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49753 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49764 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49748 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49737 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49725 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49726 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49754 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49730 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49724 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49732 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49783 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49765 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49731 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49777 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49758 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49744 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49762 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49784 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49751 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49752 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49743 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49781 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49745 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49760 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49756 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49796 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49786 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49747 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49738 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49780 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49750 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49761 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49788 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49766 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49794 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49774 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49791 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49721 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49759 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49722 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49727 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49770 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49769 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49768 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49797 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49782 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49785 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49793 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49787 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49720 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49767 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.12:49790 -> 185.208.158.248:80
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: ejmbiem.ua
        Source: Joe Sandbox ViewIP Address: 185.208.158.248 185.208.158.248
        Source: Joe Sandbox ViewASN Name: SIMPLECARRER2IT SIMPLECARRER2IT
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: unknownUDP traffic detected without corresponding DNS query: 141.98.234.31
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02CE72AB Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,_free,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,_free,3_2_02CE72AB
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1Host: ejmbiem.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficDNS traffic detected: DNS query: ejmbiem.ua
        Source: zextervideocodec32.exe, 00000003.00000002.3605917609.0000000000937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/
        Source: zextervideocodec32.exe, 00000003.00000002.3605917609.0000000000937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/6
        Source: zextervideocodec32.exe, 00000003.00000002.3608728714.0000000003655000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82d
        Source: is-99TKC.tmp.1.drString found in binary or memory: http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.2.8Content-Length:-/recv
        Source: is-DNQ2U.tmp.1.drString found in binary or memory: http://freedesktop.org
        Source: is-DNQ2U.tmp.1.drString found in binary or memory: http://freedesktop.orgtypenameexeccounttimestampparse_data-
        Source: noode.exe, 00000000.00000002.3605600043.00000000021A8000.00000004.00001000.00020000.00000000.sdmp, noode.exe, 00000000.00000003.2349135012.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, noode.tmp, 00000001.00000003.2351741005.0000000002148000.00000004.00001000.00020000.00000000.sdmp, noode.tmp, 00000001.00000002.3605961992.000000000071B000.00000004.00000020.00020000.00000000.sdmp, noode.tmp, 00000001.00000002.3606302910.0000000002137000.00000004.00001000.00020000.00000000.sdmp, noode.tmp, 00000001.00000003.2351373542.00000000030F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fsf.org/
        Source: is-7S3H1.tmp.1.drString found in binary or memory: http://mingw-w64.sourceforge.net/X
        Source: is-99TKC.tmp.1.drString found in binary or memory: http://purl.oclc.org/dsdl/schematron
        Source: is-99TKC.tmp.1.drString found in binary or memory: http://purl.oclc.org/dsdl/schematronpathhttp://www.ascc.net/xml/schematron:node
        Source: is-PVGNH.tmp.1.drString found in binary or memory: http://rawpedia.rawtherapee.com/
        Source: is-99TKC.tmp.1.drString found in binary or memory: http://relaxng.org/ns/structure/1.0
        Source: is-99TKC.tmp.1.drString found in binary or memory: http://relaxng.org/ns/structure/1.0definenameincludegrammarxmlRelaxNGParse:
        Source: is-R29H0.tmp.1.drString found in binary or memory: http://tukaani.org/
        Source: is-R29H0.tmp.1.drString found in binary or memory: http://tukaani.org/xz/
        Source: is-99TKC.tmp.1.drString found in binary or memory: http://www.ascc.net/xml/schematron
        Source: is-B1QEF.tmp.1.drString found in binary or memory: http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd
        Source: is-DNQ2U.tmp.1.drString found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarks
        Source: is-DNQ2U.tmp.1.drString found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarksapplicationgroupapplicationsgroupsprivateiconh
        Source: is-DNQ2U.tmp.1.drString found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
        Source: noode.exe, 00000000.00000002.3605600043.00000000021A8000.00000004.00001000.00020000.00000000.sdmp, noode.exe, 00000000.00000003.2349135012.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, noode.tmp, 00000001.00000003.2351741005.0000000002148000.00000004.00001000.00020000.00000000.sdmp, noode.tmp, 00000001.00000002.3605961992.000000000071B000.00000004.00000020.00020000.00000000.sdmp, noode.tmp, 00000001.00000002.3606302910.0000000002137000.00000004.00001000.00020000.00000000.sdmp, noode.tmp, 00000001.00000003.2351373542.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, is-E80I1.tmp.1.dr, is-RBVLE.tmp.1.dr, is-G0T1P.tmp.1.dr, is-2PCU0.tmp.1.dr, is-NHCLN.tmp.1.dr, is-6GU1S.tmp.1.dr, is-LR924.tmp.1.dr, is-Q3AP0.tmp.1.dr, is-QBCU5.tmp.1.dr, is-RI0VT.tmp.1.dr, is-5EMLQ.tmp.1.drString found in binary or memory: http://www.gnu.org/licenses/
        Source: noode.tmp, noode.tmp, 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-G9DGJ.tmp.1.drString found in binary or memory: http://www.innosetup.com/
        Source: is-99TKC.tmp.1.drString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
        Source: is-99TKC.tmp.1.drString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
        Source: is-PVGNH.tmp.1.drString found in binary or memory: http://www.rawtherapee.com/
        Source: noode.exe, 00000000.00000003.2349512289.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, noode.exe, 00000000.00000003.2349716616.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, noode.tmp, noode.tmp, 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-G9DGJ.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
        Source: noode.exe, 00000000.00000003.2349512289.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, noode.exe, 00000000.00000003.2349716616.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, noode.tmp, 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-G9DGJ.tmp.1.drString found in binary or memory: http://www.remobjects.com/psU
        Source: is-PVGNH.tmp.1.drString found in binary or memory: https://discuss.pixls.us/c/software/rawtherapee
        Source: is-PVGNH.tmp.1.drString found in binary or memory: https://github.com/Beep6581/RawTherapee

        System Summary

        barindex
        PE file has a writeable .text section
        Source: zextervideocodec32.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: EMAIL Safe Storage 10.2.45.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0042F530 NtdllDefWindowProc_A,1_2_0042F530
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00423B94 NtdllDefWindowProc_A,1_2_00423B94
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004125E8 NtdllDefWindowProc_A,1_2_004125E8
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004789DC NtdllDefWindowProc_A,1_2_004789DC
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004573CC PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_004573CC
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E944
        Source: C:\Users\user\Desktop\noode.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004555D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555D0
        Source: C:\Users\user\Desktop\noode.exeCode function: 0_2_0040840C0_2_0040840C
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004804C61_2_004804C6
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004709501_2_00470950
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004352D81_2_004352D8
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004677101_2_00467710
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0043036C1_2_0043036C
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004444D81_2_004444D8
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004345D41_2_004345D4
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004866041_2_00486604
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00444A801_2_00444A80
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00430EF81_2_00430EF8
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004451781_2_00445178
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0045F4301_2_0045F430
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0045B4D81_2_0045B4D8
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004875641_2_00487564
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004455841_2_00445584
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004697701_2_00469770
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0048D8C41_2_0048D8C4
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004519A81_2_004519A8
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0043DD601_2_0043DD60
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_00406C473_2_00406C47
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_004010513_2_00401051
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_00401C263_2_00401C26
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02D1B4E53_2_02D1B4E5
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02D1C2AD3_2_02D1C2AD
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02CFE22D3_2_02CFE22D
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02CEF0503_2_02CEF050
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02D04EC93_2_02D04EC9
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02D02E543_2_02D02E54
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02CFE6453_2_02CFE645
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02CF9F243_2_02CF9F24
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02CFACDA3_2_02CFACDA
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02CF84E23_2_02CF84E2
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02D054403_2_02D05440
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02CFDD393_2_02CFDD39
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_RegDLL.tmp 4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: String function: 00405964 appears 116 times
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: String function: 00408C14 appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: String function: 00406ACC appears 41 times
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: String function: 00403400 appears 61 times
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: String function: 00445DE4 appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: String function: 004078FC appears 43 times
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: String function: 004344EC appears 32 times
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: String function: 00403494 appears 82 times
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: String function: 00457D58 appears 73 times
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: String function: 00453330 appears 93 times
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: String function: 00457B4C appears 98 times
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: String function: 00403684 appears 221 times
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: String function: 004460B4 appears 59 times
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: String function: 02D053D0 appears 139 times
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: String function: 02CF8B80 appears 37 times
        Source: noode.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: noode.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: noode.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: noode.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: noode.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-G9DGJ.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: is-G9DGJ.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: is-G9DGJ.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: is-G9DGJ.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-OO36J.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-Q3AP0.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-3040J.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-GDGEQ.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-V9OMC.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-5V6CK.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-P8TLU.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-R29H0.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-B1QEF.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-DNQ2U.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-0PONS.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-7S3H1.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-9EKQS.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-3QIQD.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: noode.exe, 00000000.00000003.2349512289.00000000023D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs noode.exe
        Source: noode.exe, 00000000.00000003.2349716616.00000000021B4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs noode.exe
        Source: noode.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: _RegDLL.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/227@1/1
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02CF08A0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,3_2_02CF08A0
        Source: C:\Users\user\Desktop\noode.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004555D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555D0
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00455DF8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455DF8
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: CloseServiceHandle,CloseServiceHandle,CreateServiceA,CloseServiceHandle,CloseServiceHandle,3_2_00402722
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0046E38C GetVersion,CoCreateInstance,1_2_0046E38C
        Source: C:\Users\user\Desktop\noode.exeCode function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409BEC
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_0040219D StartServiceCtrlDispatcherA,3_2_0040219D
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_0040219D StartServiceCtrlDispatcherA,3_2_0040219D
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video CodecJump to behavior
        Source: C:\Users\user\Desktop\noode.exeFile created: C:\Users\user\AppData\Local\Temp\is-LM01C.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile read: C:\Windows\win.iniJump to behavior
        Source: C:\Users\user\Desktop\noode.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: noode.exeReversingLabs: Detection: 15%
        Source: C:\Users\user\Desktop\noode.exeFile read: C:\Users\user\Desktop\noode.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\noode.exe "C:\Users\user\Desktop\noode.exe"
        Source: C:\Users\user\Desktop\noode.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp "C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp" /SL5="$103E8,7753864,54272,C:\Users\user\Desktop\noode.exe"
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpProcess created: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe "C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe" -i
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        Source: C:\Users\user\Desktop\noode.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp "C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp" /SL5="$103E8,7753864,54272,C:\Users\user\Desktop\noode.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpProcess created: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe "C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe" -iJump to behavior
        Source: C:\Users\user\Desktop\noode.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\noode.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: explorerframe.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: dsound.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositorycore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpWindow found: window name: TMainFormJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zexter Video Codec_is1Jump to behavior
        Source: noode.exeStatic file information: File size 8037905 > 1048576

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeUnpacked PE file: 3.2.zextervideocodec32.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeUnpacked PE file: 3.2.zextervideocodec32.exe.400000.0.unpack
        Source: is-2UKG5.tmp.1.drStatic PE information: 0x8C00008C [Mon Jun 6 07:19:40 2044 UTC]
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004502AC GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502AC
        Source: is-3QIQD.tmp.1.drStatic PE information: section name: /4
        Source: is-6FIBU.tmp.1.drStatic PE information: section name: /4
        Source: is-99TKC.tmp.1.drStatic PE information: section name: /4
        Source: is-OBSAB.tmp.1.drStatic PE information: section name: /4
        Source: is-UB5BR.tmp.1.drStatic PE information: section name: /4
        Source: is-C2MKK.tmp.1.drStatic PE information: section name: /4
        Source: is-GDGEQ.tmp.1.drStatic PE information: section name: /4
        Source: is-Q3AP0.tmp.1.drStatic PE information: section name: /4
        Source: is-2UKG5.tmp.1.drStatic PE information: section name: /4
        Source: is-NQBP8.tmp.1.drStatic PE information: section name: /4
        Source: is-R29H0.tmp.1.drStatic PE information: section name: /4
        Source: is-9EKQS.tmp.1.drStatic PE information: section name: /4
        Source: is-5V6CK.tmp.1.drStatic PE information: section name: /4
        Source: is-6V5CI.tmp.1.drStatic PE information: section name: /4
        Source: is-OO36J.tmp.1.drStatic PE information: section name: /4
        Source: is-TV3K6.tmp.1.drStatic PE information: section name: /4
        Source: is-16BHT.tmp.1.drStatic PE information: section name: /4
        Source: is-LMLE4.tmp.1.drStatic PE information: section name: /4
        Source: is-0KE28.tmp.1.drStatic PE information: section name: /4
        Source: is-39GU6.tmp.1.drStatic PE information: section name: /4
        Source: is-VJDU6.tmp.1.drStatic PE information: section name: /4
        Source: is-V3G3E.tmp.1.drStatic PE information: section name: /4
        Source: is-5SKEM.tmp.1.drStatic PE information: section name: /4
        Source: is-V9OMC.tmp.1.drStatic PE information: section name: /4
        Source: is-M2RP0.tmp.1.drStatic PE information: section name: /4
        Source: is-CPOJD.tmp.1.drStatic PE information: section name: /4
        Source: is-50JPL.tmp.1.drStatic PE information: section name: /4
        Source: is-GIR45.tmp.1.drStatic PE information: section name: /4
        Source: is-5H4H0.tmp.1.drStatic PE information: section name: /4
        Source: is-0PONS.tmp.1.drStatic PE information: section name: /4
        Source: is-MOJAC.tmp.1.drStatic PE information: section name: /4
        Source: is-Q9119.tmp.1.drStatic PE information: section name: /4
        Source: is-4F47K.tmp.1.drStatic PE information: section name: /4
        Source: is-3040J.tmp.1.drStatic PE information: section name: /4
        Source: is-7S3H1.tmp.1.drStatic PE information: section name: /4
        Source: is-B1QEF.tmp.1.drStatic PE information: section name: /4
        Source: is-EAOA0.tmp.1.drStatic PE information: section name: /4
        Source: is-DNQ2U.tmp.1.drStatic PE information: section name: /4
        Source: is-5I9BT.tmp.1.drStatic PE information: section name: /4
        Source: is-P8TLU.tmp.1.drStatic PE information: section name: /4
        Source: C:\Users\user\Desktop\noode.exeCode function: 0_2_004065B8 push 004065F5h; ret 0_2_004065ED
        Source: C:\Users\user\Desktop\noode.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
        Source: C:\Users\user\Desktop\noode.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
        Source: C:\Users\user\Desktop\noode.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\noode.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\noode.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
        Source: C:\Users\user\Desktop\noode.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\noode.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\noode.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00409954 push 00409991h; ret 1_2_00409989
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0040A04F push ds; ret 1_2_0040A050
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0040A023 push ds; ret 1_2_0040A04D
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00460088 push ecx; mov dword ptr [esp], ecx1_2_0046008C
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004062CC push ecx; mov dword ptr [esp], eax1_2_004062CD
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0049467C push ecx; mov dword ptr [esp], ecx1_2_00494681
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004106E0 push ecx; mov dword ptr [esp], edx1_2_004106E5
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00412938 push 0041299Bh; ret 1_2_00412993
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0040D038 push ecx; mov dword ptr [esp], edx1_2_0040D03A
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004850AC push ecx; mov dword ptr [esp], ecx1_2_004850B1
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00443450 push ecx; mov dword ptr [esp], ecx1_2_00443454
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0040F598 push ecx; mov dword ptr [esp], edx1_2_0040F59A
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00459634 push 00459678h; ret 1_2_00459670
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004517E4 push 00451817h; ret 1_2_0045180F
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004519A8 push ecx; mov dword ptr [esp], eax1_2_004519AD
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00483A08 push 00483AF7h; ret 1_2_00483AEF
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00477A24 push ecx; mov dword ptr [esp], edx1_2_00477A25

        Persistence and Installation Behavior

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_00401A4F
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_02CEF879
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-DNQ2U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\libpixmap.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-UB5BR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-NQBP8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-0KE28.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\modules\libgail.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libfreetype-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-R29H0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-Q9119.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgobject-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libxml2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\librsvg-2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-OBSAB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-99TKC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_RegDLL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\is-TV3K6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libpangowin32-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\zlib1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libpng16-16.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libpcre-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgdk_pixbuf-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-B1QEF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-5SKEM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libglibmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-GIR45.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libpixman-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-LMLE4.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libfontconfig-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-Q3AP0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-MOJAC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libpangoft2-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgraphite2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-2UKG5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\is-16BHT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-V3G3E.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgiomm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-EAOA0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-0PONS.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-5H4H0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgomp-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libpango-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgdk-win32-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgdkmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libtiff-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-VJDU6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-3040J.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-9EKQS.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libiconv-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-OO36J.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-3QIQD.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeFile created: C:\ProgramData\EMAIL Safe Storage 10.2.45\EMAIL Safe Storage 10.2.45.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-V9OMC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgio-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libpangomm-1.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\is-G9DGJ.tmpJump to dropped file
        Source: C:\Users\user\Desktop\noode.exeFile created: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libglib-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libstdc++-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\libwimp.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libwinpthread-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-5V6CK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-P8TLU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-50JPL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libintl-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libjpeg-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libffi-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libharfbuzz-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\modules\is-6V5CI.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libpangocairo-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-GDGEQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-4F47K.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libexpat-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-CPOJD.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgmodule-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libsigc-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\liblcms2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-M2RP0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\liblzma-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-5I9BT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-39GU6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-C2MKK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-6FIBU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-7S3H1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgcc_s_dw2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeFile created: C:\ProgramData\EMAIL Safe Storage 10.2.45\EMAIL Safe Storage 10.2.45.exeJump to dropped file

        Boot Survival

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_00401A4F
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_02CEF879
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_0040219D StartServiceCtrlDispatcherA,3_2_0040219D
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C1C
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C1C
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004241EC IsIconic,SetActiveWindow,SetFocus,1_2_004241EC
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004241A4 IsIconic,SetActiveWindow,1_2_004241A4
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418394
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042286C
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004833BC IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_004833BC
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004175A8 IsIconic,GetCapture,1_2_004175A8
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00417CDE IsIconic,SetWindowPos,1_2_00417CDE
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CE0
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F128
        Source: C:\Users\user\Desktop\noode.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_00401B4B
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_02CEF97D
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeWindow / User API: threadDelayed 9572Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-DNQ2U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\libpixmap.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-UB5BR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-NQBP8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\modules\libgail.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-0KE28.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libfreetype-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-R29H0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-Q9119.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgobject-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libxml2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\librsvg-2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-OBSAB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-99TKC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_RegDLL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\is-TV3K6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpangowin32-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\zlib1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpng16-16.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpcre-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgdk_pixbuf-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-B1QEF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-5SKEM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libglibmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-GIR45.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpixman-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libfontconfig-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-LMLE4.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpangoft2-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-Q3AP0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-MOJAC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgraphite2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\is-16BHT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-2UKG5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-V3G3E.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgiomm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-EAOA0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-0PONS.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-5H4H0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgomp-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpango-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgdk-win32-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgdkmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libtiff-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-VJDU6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-3040J.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-9EKQS.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libiconv-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-OO36J.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-3QIQD.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpangomm-1.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgio-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-V9OMC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\is-G9DGJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libglib-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libstdc++-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libwinpthread-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\libwimp.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-5V6CK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-P8TLU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-50JPL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libintl-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libjpeg-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libharfbuzz-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libffi-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\modules\is-6V5CI.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpangocairo-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-GDGEQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libexpat-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-4F47K.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgmodule-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libsigc-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-CPOJD.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\liblcms2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-M2RP0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\liblzma-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-5I9BT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-39GU6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-C2MKK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-7S3H1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-6FIBU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgcc_s_dw2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\noode.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5688
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_3-19282
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe TID: 6704Thread sleep count: 274 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe TID: 6704Thread sleep time: -548000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe TID: 5852Thread sleep count: 73 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe TID: 5852Thread sleep time: -4380000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe TID: 6704Thread sleep count: 9572 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe TID: 6704Thread sleep time: -19144000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00452A4C FindFirstFileA,GetLastError,1_2_00452A4C
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004751F8 FindFirstFileA,FindNextFileA,FindClose,1_2_004751F8
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00464048 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464048
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004644C4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_004644C4
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00462ABC FindFirstFileA,FindNextFileA,FindClose,1_2_00462ABC
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00497A74 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00497A74
        Source: C:\Users\user\Desktop\noode.exeCode function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B30
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeThread delayed: delay time: 60000Jump to behavior
        Source: zextervideocodec32.exe, 00000003.00000002.3608442901.0000000003568000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: zextervideocodec32.exe, 00000003.00000002.3605917609.000000000085E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
        Source: C:\Users\user\Desktop\noode.exeAPI call chain: ExitProcess graph end nodegraph_0-6728
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeAPI call chain: ExitProcess graph end nodegraph_3-19283
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeAPI call chain: ExitProcess graph end nodegraph_3-21675
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02D0019E RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_02D0019E
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02D0019E RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_02D0019E
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_004502AC GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502AC
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02CE648B RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,3_2_02CE648B
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02CF9508 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_02CF9508
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00478420 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00478420
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0042E0AC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E0AC
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exeCode function: 3_2_02CF804D cpuid 3_2_02CF804D
        Source: C:\Users\user\Desktop\noode.exeCode function: GetLocaleInfoA,0_2_004051FC
        Source: C:\Users\user\Desktop\noode.exeCode function: GetLocaleInfoA,0_2_00405248
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: GetLocaleInfoA,1_2_00408570
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: GetLocaleInfoA,1_2_004085BC
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_0045892C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_0045892C
        Source: C:\Users\user\Desktop\noode.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
        Source: C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmpCode function: 1_2_00455588 GetUserNameA,1_2_00455588
        Source: C:\Users\user\Desktop\noode.exeCode function: 0_2_00405CE4 GetVersionExA,0_2_00405CE4

        Stealing of Sensitive Information

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.3607247609.0000000002C3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zextervideocodec32.exe PID: 6700, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.3607247609.0000000002C3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zextervideocodec32.exe PID: 6700, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
        Native API        		1
        DLL Side-Loading        		1
        Exploitation for Privilege Escalation        		1
        Deobfuscate/Decode Files or Information        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		2
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts2
        Service Execution        		5
        Windows Service        		1
        DLL Side-Loading        		2
        Obfuscated Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media2
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAt1
        Bootkit        		1
        Access Token Manipulation        		21
        Software Packing        		Security Account Manager2
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
        Windows Service        		1
        Timestomp        		NTDS35
        System Information Discovery        		Distributed Component Object ModelInput Capture112
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
        Process Injection        		1
        DLL Side-Loading        		LSA Secrets41
        Security Software Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Masquerading        		Cached Domain Credentials1
        Process Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
        Virtualization/Sandbox Evasion        		DCSync21
        Virtualization/Sandbox Evasion        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation        		Proc Filesystem11
        Application Window Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
        Process Injection        		/etc/passwd and /etc/shadow3
        System Owner/User Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Bootkit        		Network Sniffing1
        Remote System Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
        System Network Configuration Discovery        		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        noode.exe16%ReversingLabsWin32.Trojan.Munp

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\ProgramData\EMAIL Safe Storage 10.2.45\EMAIL Safe Storage 10.2.45.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_RegDLL.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_iscrypt.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_setup64.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_shfoldr.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-0KE28.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-0PONS.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-2UKG5.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-3040J.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-39GU6.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-3QIQD.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-4F47K.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-50JPL.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-5H4H0.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-5I9BT.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-5SKEM.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-5V6CK.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-6FIBU.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-7S3H1.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-99TKC.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-9EKQS.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-B1QEF.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-C2MKK.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-CPOJD.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-DNQ2U.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-EAOA0.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-GDGEQ.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-GIR45.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-LMLE4.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-M2RP0.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-MOJAC.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-NQBP8.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-OBSAB.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-OO36J.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-P8TLU.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-Q3AP0.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-Q9119.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-R29H0.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-UB5BR.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-V3G3E.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-V9OMC.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-VJDU6.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\is-16BHT.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\is-TV3K6.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\libpixmap.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\libwimp.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\modules\is-6V5CI.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\modules\libgail.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libexpat-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libffi-6.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libfontconfig-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libfreetype-6.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgcc_s_dw2-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgdk-win32-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgdk_pixbuf-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgdkmm-2.4-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgio-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgiomm-2.4-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libglib-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libglibmm-2.4-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgmodule-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgobject-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgomp-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgraphite2.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libharfbuzz-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libiconv-2.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libintl-8.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libjpeg-8.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\liblcms2-2.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\liblzma-5.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libpango-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libpangocairo-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libpangoft2-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libpangomm-1.4-1.dll (copy)0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.innosetup.com/0%URL Reputationsafe
        http://www.remobjects.com/ps0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        ejmbiem.ua
        		185.208.158.248
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          ejmbiem.uatrue
            		unknown
            http://ejmbiem.ua/search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94true
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.innosetup.com/noode.tmp, noode.tmp, 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-G9DGJ.tmp.1.drfalse
              • URL Reputation: safe
              		unknown
              http://185.208.158.248/search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82dzextervideocodec32.exe, 00000003.00000002.3608728714.0000000003655000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                http://freedesktop.orgtypenameexeccounttimestampparse_data-is-DNQ2U.tmp.1.drfalse
                  		unknown
                  http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.2.8Content-Length:-/recvis-99TKC.tmp.1.drfalse
                    		unknown
                    http://www.freedesktop.org/standards/desktop-bookmarksis-DNQ2U.tmp.1.drfalse
                      		unknown
                      https://github.com/Beep6581/RawTherapeeis-PVGNH.tmp.1.drfalse
                        		unknown
                        http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtdis-99TKC.tmp.1.drfalse
                          		unknown
                          http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTDis-99TKC.tmp.1.drfalse
                            		unknown
                            http://purl.oclc.org/dsdl/schematronis-99TKC.tmp.1.drfalse
                              		unknown
                              http://relaxng.org/ns/structure/1.0definenameincludegrammarxmlRelaxNGParse:is-99TKC.tmp.1.drfalse
                                		unknown
                                http://www.ascc.net/xml/schematronis-99TKC.tmp.1.drfalse
                                  		unknown
                                  http://www.freedesktop.org/standards/dbus/1.0/introspect.dtdis-B1QEF.tmp.1.drfalse
                                    		unknown
                                    https://discuss.pixls.us/c/software/rawtherapeeis-PVGNH.tmp.1.drfalse
                                      		unknown
                                      http://tukaani.org/is-R29H0.tmp.1.drfalse
                                        		unknown
                                        http://185.208.158.248/6zextervideocodec32.exe, 00000003.00000002.3605917609.0000000000937000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.remobjects.com/psUnoode.exe, 00000000.00000003.2349512289.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, noode.exe, 00000000.00000003.2349716616.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, noode.tmp, 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-G9DGJ.tmp.1.drfalse
                                            		unknown
                                            http://tukaani.org/xz/is-R29H0.tmp.1.drfalse
                                              		unknown
                                              http://mingw-w64.sourceforge.net/Xis-7S3H1.tmp.1.drfalse
                                                		unknown
                                                http://185.208.158.248/zextervideocodec32.exe, 00000003.00000002.3605917609.0000000000937000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.freedesktop.org/standards/shared-mime-infois-DNQ2U.tmp.1.drfalse
                                                    		unknown
                                                    http://www.rawtherapee.com/is-PVGNH.tmp.1.drfalse
                                                      		unknown
                                                      http://www.freedesktop.org/standards/desktop-bookmarksapplicationgroupapplicationsgroupsprivateiconhis-DNQ2U.tmp.1.drfalse
                                                        		unknown
                                                        http://rawpedia.rawtherapee.com/is-PVGNH.tmp.1.drfalse
                                                          		unknown
                                                          http://relaxng.org/ns/structure/1.0is-99TKC.tmp.1.drfalse
                                                            		unknown
                                                            http://www.remobjects.com/psnoode.exe, 00000000.00000003.2349512289.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, noode.exe, 00000000.00000003.2349716616.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, noode.tmp, noode.tmp, 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-G9DGJ.tmp.1.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://fsf.org/noode.exe, 00000000.00000002.3605600043.00000000021A8000.00000004.00001000.00020000.00000000.sdmp, noode.exe, 00000000.00000003.2349135012.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, noode.tmp, 00000001.00000003.2351741005.0000000002148000.00000004.00001000.00020000.00000000.sdmp, noode.tmp, 00000001.00000002.3605961992.000000000071B000.00000004.00000020.00020000.00000000.sdmp, noode.tmp, 00000001.00000002.3606302910.0000000002137000.00000004.00001000.00020000.00000000.sdmp, noode.tmp, 00000001.00000003.2351373542.00000000030F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://freedesktop.orgis-DNQ2U.tmp.1.drfalse
                                                                		unknown
                                                                http://purl.oclc.org/dsdl/schematronpathhttp://www.ascc.net/xml/schematron:nodeis-99TKC.tmp.1.drfalse
                                                                  		unknown
                                                                  http://www.gnu.org/licenses/noode.exe, 00000000.00000002.3605600043.00000000021A8000.00000004.00001000.00020000.00000000.sdmp, noode.exe, 00000000.00000003.2349135012.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, noode.tmp, 00000001.00000003.2351741005.0000000002148000.00000004.00001000.00020000.00000000.sdmp, noode.tmp, 00000001.00000002.3605961992.000000000071B000.00000004.00000020.00020000.00000000.sdmp, noode.tmp, 00000001.00000002.3606302910.0000000002137000.00000004.00001000.00020000.00000000.sdmp, noode.tmp, 00000001.00000003.2351373542.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, is-E80I1.tmp.1.dr, is-RBVLE.tmp.1.dr, is-G0T1P.tmp.1.dr, is-2PCU0.tmp.1.dr, is-NHCLN.tmp.1.dr, is-6GU1S.tmp.1.dr, is-LR924.tmp.1.dr, is-Q3AP0.tmp.1.dr, is-QBCU5.tmp.1.dr, is-RI0VT.tmp.1.dr, is-5EMLQ.tmp.1.drfalse
                                                                    		unknown

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    185.208.158.248
                                                                    		ejmbiem.uaSwitzerland
                                                                    		34888SIMPLECARRER2ITtrue

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1524236
                                                                    Start date and time:2024-10-02 17:19:58 +02:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 6m 52s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:9
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:noode.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.evad.winEXE@6/227@1/1
                                                                    EGA Information:
                                                                    • Successful, ratio: 100%
                                                                    HCA Information:
                                                                    • Successful, ratio: 90%
                                                                    • Number of executed functions: 163
                                                                    • Number of non-executed functions: 256
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • VT rate limit hit for: noode.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    11:21:34API Interceptor373290x Sleep call for process: zextervideocodec32.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    185.208.158.248noode.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5SystemzBrowse
                                                                        file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5SystemzBrowse
                                                                          SecuriteInfo.com.Trojan.Win32.Crypt.31282.17969.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              file.exeGet hashmaliciousClipboard Hijacker, Cryptbot, Neoreklami, Socks5SystemzBrowse
                                                                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                  boSodF2WmT.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                    file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      8b8h4p07ND.exeGet hashmaliciousSocks5SystemzBrowse

                                                                                        Domains

                                                                                        No context

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        SIMPLECARRER2IThttp://Asm.alcateia.orgGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 185.208.158.9
                                                                                        noode.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 185.208.158.248
                                                                                        file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5SystemzBrowse
                                                                                        • 185.208.158.248
                                                                                        file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5SystemzBrowse
                                                                                        • 185.208.158.248
                                                                                        SecuriteInfo.com.Trojan.Win32.Crypt.31282.17969.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 185.208.158.248
                                                                                        SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 185.196.8.214
                                                                                        SecuriteInfo.com.Gen.Heur.Munp.1.20199.21407.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 185.196.8.214
                                                                                        SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 185.208.158.248
                                                                                        http://www.jp-area.com/beppu/rank.cgi?mode=link&id=218&url=https://0oenqK.startprogrammingnowbook.comGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 185.208.158.9
                                                                                        https://www.pineapplehospitality.net/Get hashmaliciousUnknownBrowse
                                                                                        • 185.208.159.111

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_RegDLL.tmpfile.exeGet hashmaliciousUnknownBrowse
                                                                                          noode.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                            file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5SystemzBrowse
                                                                                              AX3-GUI-45.exeGet hashmaliciousUnknownBrowse
                                                                                                file.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                                  AX3-GUI-45.exeGet hashmaliciousUnknownBrowse
                                                                                                    qgdf1HLJno.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                      file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                        file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                          install.exeGet hashmaliciousSocks5SystemzBrowse

                                                                                                            Created / dropped Files

                                                                                                            C:\ProgramData\EMAIL Safe Storage 10.2.45\EMAIL Safe Storage 10.2.45.exe

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):3022336
                                                                                                            Entropy (8bit):7.1621335495556915
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:49152:LvuOCl8ZHuL49v5Z3GCWLV9/OPKRsPbxTM3aDM1mxKD9PfcH89hsa5yPM28go:LvuuZE49TGnLV9/OiRsPbxTM3aDrKD5F
                                                                                                            MD5:C84C1723350D751DF4CA78CC230B5EA7
                                                                                                            SHA1:BB32FA00AB20A534B453224CF0B921824E67FC31
                                                                                                            SHA-256:F1F987CA137B5D370088685C6921EEA43CC3A5FC47493EDFB60AAE4B201E1E97
                                                                                                            SHA-512:F673D5518BB29983C9243C9E69659A688441D2F51E89B9FFAF8856B2B454DCBE893F4BECD89DC5C11BF7C30262A9296A10DAEC2ED29F186D71161BE96FAA18B6
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            Reputation:low
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...L..L..................".........(."......."...@.........................................................................."......p#..............................................................................."..............................text.....".......".................`....rdata........".......".............@..@.data....d....#..0....".............@....rsrc........p#.......#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\ProgramData\em102it45.dat

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):8
                                                                                                            Entropy (8bit):2.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Rqt:0t
                                                                                                            MD5:2EDD00C1BBC200E4E358113D524FC250
                                                                                                            SHA1:E24EE48216ED18B39EBF91646DA21409540AA11D
                                                                                                            SHA-256:1EDFD6A55D0465579F2C0E44B1C846288501178AF25DC15DA5FAA0B65AA09CD4
                                                                                                            SHA-512:195CF4D71870574553B874F46027EEC424CC4E136C6DD15D0EA3E0D4412D1CEE132EB1474869965E36C31E66B72F4675764F18E4748055473CAA604330E88C77
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            Preview:.e.f....

                                                                                                            C:\ProgramData\em102rc45.dat

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):4
                                                                                                            Entropy (8bit):0.8112781244591328
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:m:m
                                                                                                            MD5:228F3022DE3BC44ACE8409F4F75F294E
                                                                                                            SHA1:B8B1EE0B4EE6AD4F385CE2F4DD1D417B2D1B7F03
                                                                                                            SHA-256:FB31B4206368CA3D59E2F09DC245B7462E2FEA4584B8DE634FA9F1AAEA20BFBC
                                                                                                            SHA-512:315CE03B16DFF7FD6A29D09C22976C41D06EA32653F32C75B07C8CE2C9EA79756C726635C1D10C070DC739FBD81D205F2407E810F98F37760FCA3B0E1E754D0D
                                                                                                            Malicious:false
                                                                                                            Reputation:moderate, very likely benign file
                                                                                                            Preview:W...

                                                                                                            C:\ProgramData\em102resa.dat

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):128
                                                                                                            Entropy (8bit):2.9545817380615236
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
                                                                                                            MD5:98DDA7FC0B3E548B68DE836D333D1539
                                                                                                            SHA1:D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
                                                                                                            SHA-256:870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
                                                                                                            SHA-512:E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
                                                                                                            Malicious:false
                                                                                                            Reputation:moderate, very likely benign file
                                                                                                            Preview:30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

                                                                                                            C:\ProgramData\em102resb.dat

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):128
                                                                                                            Entropy (8bit):1.7095628900165245
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:LDXdQSWBdMUE/:LLdQSGd
                                                                                                            MD5:4FFFD4D2A32CBF8FB78D521B4CC06680
                                                                                                            SHA1:3FA6EFA82F738740179A9388D8046619C7EBDF54
                                                                                                            SHA-256:EC52F73A17E6AFCF78F3FD8DFC7177024FEB52F5AC2B602886788E4348D5FB68
                                                                                                            SHA-512:130A074E6AD38EEE2FB088BED2FCB939BF316B0FCBB4F5455AB49C2685BEEDCB5011107A22A153E56BF5E54A45CA4801C56936E71899C99BA9A4F694A1D4CC6D
                                                                                                            Malicious:false
                                                                                                            Reputation:moderate, very likely benign file
                                                                                                            Preview:dad6f9fa0c8327344d1aa24f183c3767................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\noode.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):709120
                                                                                                            Entropy (8bit):6.498750714093575
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:thu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURFFDExyF:Pu7eEYCP8trP837szHUA60SLtcV3E9kT
                                                                                                            MD5:16C9D19AB32C18671706CEFEE19B6949
                                                                                                            SHA1:FCA23338CB77068E1937DF4E59D9C963C5548CF8
                                                                                                            SHA-256:C1769524411682D5A204C8A40F983123C67EFEADB721160E42D7BBFE4531EB70
                                                                                                            SHA-512:32B4B0B2FB56A299046EC26FB41569491E8B0CD2F8BEC9D57EC0D1AD1A7860EEC72044DAB2D5044CB452ED46E9F21513EAB2171BAFA9087AF6D2DE296455C64B
                                                                                                            Malicious:true
                                                                                                            Reputation:low
                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_RegDLL.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):4096
                                                                                                            Entropy (8bit):4.026670007889822
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
                                                                                                            MD5:0EE914C6F0BB93996C75941E1AD629C6
                                                                                                            SHA1:12E2CB05506EE3E82046C41510F39A258A5E5549
                                                                                                            SHA-256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
                                                                                                            SHA-512:A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Joe Sandbox View:
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: noode.exe, Detection: malicious, Browse
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: AX3-GUI-45.exe, Detection: malicious, Browse
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: AX3-GUI-45.exe, Detection: malicious, Browse
                                                                                                            • Filename: qgdf1HLJno.exe, Detection: malicious, Browse
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: install.exe, Detection: malicious, Browse
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_iscrypt.dll

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):2560
                                                                                                            Entropy (8bit):2.8818118453929262
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                            MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                            SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                            SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                            SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_setup64.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):6144
                                                                                                            Entropy (8bit):4.215994423157539
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                                                            MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                                                            SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                                                            SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                                                            SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\is-PBM2B.tmp\_isetup\_shfoldr.dll

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23312
                                                                                                            Entropy (8bit):4.596242908851566
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                            MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                            SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                            SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                            SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-0JAIC.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):3022336
                                                                                                            Entropy (8bit):7.162133384206803
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:49152:EvuOCl8ZHuL49v5Z3GCWLV9/OPKRsPbxTM3aDM1mxKD9PfcH89hsa5yPM28go:EvuuZE49TGnLV9/OiRsPbxTM3aDrKD5F
                                                                                                            MD5:E05CB9BCF48862AAE3955B0DF9D410B2
                                                                                                            SHA1:9F1C639D48E65DEB13BAA9C2C5AFC3A5D28C3C03
                                                                                                            SHA-256:84984F4D6B671BB40127AC38C6D4BEB1A93D782D01D3AA8C6EF23F2C413807FB
                                                                                                            SHA-512:DB398EF71605B3044DED2C12B34849D36E7A6666E12143D1033241A5F8F75395430BB11BA807CDC8A760AF7F4CB8F7C547D354F130B78587C8003438DD9E673C
                                                                                                            Malicious:false
                                                                                                            Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...L..L..................".........(."......."...@.........................................................................."......p#..............................................................................."..............................text.....".......".................`....rdata........".......".............@..@.data....d....#..0....".............@....rsrc........p#.......#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-0KE28.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):34874
                                                                                                            Entropy (8bit):6.110919169629535
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:6qW+Ku0jVHIjjVn0SW4K8BnAfDuV9lewloooooooooooo9omSGj98BZZ67SBAaWU:EzpH6jpzBUCUG8BGsWwyY
                                                                                                            MD5:67DA3BEF31BBDEC7E7A1CEC95843E0EE
                                                                                                            SHA1:463341CB6180358C80832D085D4B8480241BFEB1
                                                                                                            SHA-256:3524F35C0ED4D2B68B490744B0D401772108E52A56558485E75B84967525A458
                                                                                                            SHA-512:5E7C0E071A822358B6439E1C655F4AB0F06DC3DD916C5507E2A7D6F6376DBEACD2828044680D2AD83D5FB14CFEF6DCDC77A4FABCD13069D3B5943253A3775CFE
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........4......#.....L...|...............`.....k.......................................... .........................;.......|....................................................................................................................text...dJ.......L..................`.P`.data...8....`.......P..............@.0..rdata..4....p.......R..............@.0@/4...................Z..............@.0..bss..................................`..edata..;............j..............@.0@.idata..|............p..............@.0..CRT....,............v..............@.0..tls.... ............x..............@.0..reloc...............z..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-0PONS.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):814068
                                                                                                            Entropy (8bit):6.5113626552096
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:ZEygs0MDl9NALk12XBoO/j+QDr4TARkKtff8WvLCC2:vKMDl9aGO+/TAR5tff8og
                                                                                                            MD5:5B1EB4B36F189362DEF93BF3E37354CC
                                                                                                            SHA1:8C0A4992A6180D0256ABF669DFDEE228F03300BA
                                                                                                            SHA-256:D2D7D9821263F8C126C6D8758FFF0C88F2F86E7E69BFCC28E7EFABC1332EEFD7
                                                                                                            SHA-512:BF57664A96DC16DAD0BB22F6BE6B7DAE0BB2BA2C6932C8F64AEC953E77DC5CDA48E3E05FB98EFE766969832DBC6D7357F8B8D144BD438E366CE746B3B31E2C96
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wl....i......#..............................Tl.................................`........ ..........................b...`...L.......h...................@...I...................................................j..X............................text..............................`.P`.data...............................@.`..rdata..\...........................@.`@/4.......S...p...T...H..............@.0@.bss..................................`..edata...b.......d..................@.0@.idata...L...`...L..................@.0..CRT....,............L..............@.0..tls.... ............N..............@.0..rsrc....h.......j...P..............@.0..reloc...I...@...J..................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-2UKG5.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):509934
                                                                                                            Entropy (8bit):6.031080686301204
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:wx/Eqtn5oeHkJstujMWYVgUr/MSK/zwazshLKl11PC5qLJy1Pkfsm:M/NDXEJIPVgUrgbzslW11UqLJokfsm
                                                                                                            MD5:02E6C6AB886700E6F184EEE43157C066
                                                                                                            SHA1:E796B7F7762BE9B90948EB80D0138C4598700ED9
                                                                                                            SHA-256:EA53A198AA646BED0B39B40B415602F8C6DC324C23E1B9FBDCF7B416C2C2947D
                                                                                                            SHA-512:E72BC0A2E9C20265F1471C30A055617CA34DA304D7932E846D5D6999A8EBCC0C3691FC022733EAEB74A25C3A6D3F347D3335B902F170220CFE1DE0340942B596
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........P......#...............................k......................... ......CY........ .....................................................................................................................|...,............................text...T...........................`.P`.data...............................@.0..rdata..XN.......P..................@.`@/4.......x...0...z..................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-3040J.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):181527
                                                                                                            Entropy (8bit):6.362061002967905
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:jJoxZgqj/2VkWePT1lempKE7PQrXGx6duqPhyxO+jOfMjHyv:jef/2eH72mprIs6VyfOfMY
                                                                                                            MD5:0D0D311D1837705B1EAFBC5A85A695BD
                                                                                                            SHA1:AA7FA3EB181CC5E5B0AA240892156A1646B45184
                                                                                                            SHA-256:AFB9779C4D24D0CE660272533B70D2B56704F8C39F63DAB0592C203D8AE74673
                                                                                                            SHA-512:14BC65823B77E192AACF613B65309D5A555A865AC00D2AB422FD209BD4E6C106ECCE12F868692C3EEA6DCCB3FE4AD6323984AEF60F69DA08888ABCD98D76327D
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..............#..............................Te......................... ................ .........................b........#......................................................................................H............................text...$...........................`.P`.data...4...........................@.0..rdata...J.......L..................@.`@/4.......I... ...J..................@.0@.bss.........p........................`..edata..b............@..............@.0@.idata...#.......$...V..............@.0..CRT....,............z..............@.0..tls.... ............|..............@.0..rsrc................~..............@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-39GU6.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):331967
                                                                                                            Entropy (8bit):6.197473576252529
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:lgMpBi/BAG2usHP60T37Zkw/HsVRbGToZjc:jmAG2vHCk37uwObG4jc
                                                                                                            MD5:553B2B43312DBA99DA7CB9D9BFCCA0AF
                                                                                                            SHA1:8E4CA211EA779060064276C426F7E74C61E1D790
                                                                                                            SHA-256:1FB04D4CFAFAE1E3490604D300B4E27B7F1F3CC5234C96D0632A88FC66844F52
                                                                                                            SHA-512:85CDC08D4970E9FC0C6FF3E8004CEFBFC07A1DAEECCFE0C3AB478BA82C89707EC8A22D4FC999EFEEFEBA8EE81121211E11F733D1747B9716EEED06D94EE52F44
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................e.........................p......w5........ .........................{....................................P...............................@......................D................................text...d...........................`.P`.data...TB.......D..................@.`..rdata.......0......................@.`@/4......d....@......................@.0@.bss.... .............................`..edata..{...........................@.0@.idata..............................@.0..CRT....,....0......................@.0..tls.... ....@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-3QIQD.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):337171
                                                                                                            Entropy (8bit):6.46334441651647
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:TQkk4LTVKDKajZjp8aEEHeEkls4q5dRIFSqObK/q+P82JSccgSGDGxQXKHlTmn93:3kwpKlf1QNSqOb6q+PRJb6GDGmKH893
                                                                                                            MD5:51D62C9C7D56F2EF2F0F628B8FC249AD
                                                                                                            SHA1:33602785DE6D273F0CE7CA65FE8375E91EF1C0BC
                                                                                                            SHA-256:FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
                                                                                                            SHA-512:03FB13AE5D73B4BABA540E3358335296FB28AA14318C27554B19BB1E90FAD05EA2DD66B3DB216EA7EED2A733FE745E66DB2E638F5ED3B0206F5BE377F931DF5B
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#......................... .....c.........................`................ ..........................8........... .......................0.../......................................................`............................text...............................`.P`.data...`.... ......................@.0..rdata..4....0......................@.`@/4......D...........................@.0@.bss..................................`..edata...8.......:...p..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.../...0...0..................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-4F47K.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):448557
                                                                                                            Entropy (8bit):6.353356595345232
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:TC5WwqtP7JRSIOKxQg2FgggggggTggZgoggggggggggggggggggnggDggD7d:TC5WltP7JRSIOKxmeR
                                                                                                            MD5:908111F583B7019D2ED3492435E5092D
                                                                                                            SHA1:8177C5E3B4D5CC1C65108E095D07E0389164DA76
                                                                                                            SHA-256:E8E2467121978653F9B6C69D7637D8BE1D0AC6A4028B672A9B937021AD47603C
                                                                                                            SHA-512:FD35BACAD03CFA8CD1C0FFF2DAC117B07F516E1E37C10352ED67E645F96E31AC499350A2F21702EB51BE83C05CF147D0876DAC34376EEDE676F3C7D4E4A329CB
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....,...................@.....i......................... ......._........ .........................[.......X...............................(&...................................................... ............................text...d*.......,..................`.P`.data........@.......0..............@.`..rdata......P.......2..............@.`@/4..................................@.0@.bss....|.............................`..edata..[............j..............@.0@.idata..X...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..(&.......(..................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-50JPL.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):248781
                                                                                                            Entropy (8bit):6.474165596279956
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:oW4uzRci3pB4FvOhUHN1Dmfk46sR6/9+B7Bt9Z42fTSCi3QUqbQrPeL8rFErGfju:n4uB4FvHNElE9+B7Bj6GTSCiZPNVS
                                                                                                            MD5:C4002F9E4234DFB5DBE64C8D2C9C2F09
                                                                                                            SHA1:5C1DCCE276FDF06E6AA1F6AD4D4B49743961D62D
                                                                                                            SHA-256:F5BC251E51206592B56C3BD1BC4C030E2A98240684263FA766403EA687B1F664
                                                                                                            SHA-512:4F7BC8A431C07181A3D779F229E721958043129BBAEC65A538F2DD6A2CAB8B4D6165B4149B1DF56B31EB062614363A377E1982FD2F142E49DA524C1C96FC862E
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........]......#...............................h......................... .......!........ .........................A.......\.......................................................................................\............................text..............................`.P`.data...T...........................@.0..rdata..P[.......\..................@.`@/4.......v...0...v..................@.0@.bss..................................`..edata..A........ ..................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-5H4H0.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):30994
                                                                                                            Entropy (8bit):5.666281517516177
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:SrCNSOFBZVDIxxDsIpx0uZjaYNdJSH6J6:SrCyx0maYNdh6
                                                                                                            MD5:3C033F35FE26BC711C4D68EB7CF0066D
                                                                                                            SHA1:83F1AED76E6F847F6831A1A1C00FEDC50F909B81
                                                                                                            SHA-256:9BA147D15C8D72A99BC639AE173CFF2D22574177242A7E6FE2E9BB09CC3D5982
                                                                                                            SHA-512:7811BE5CCBC27234CE70AB4D6541556612C45FE81D5069BA64448E78953387B1C023AA2A04E5DBF8CAACE7291B8B020BEE2F794FBC190837F213B8D6CB698860
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..8......#.....*...l...............@.....j.......................................... .........................a.......(...............................x...................................................,................................text...8(.......*..................`.P`.data... ....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......6..............@.0@.bss..................................`..edata..a............L..............@.0@.idata..(............`..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..x............l..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-5I9BT.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):463112
                                                                                                            Entropy (8bit):6.363613724826455
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:qyoSS9Gy176UixTUTfeKEVfA/K4FW0BGXOjY:pS93176nxTUTEA/Kuk
                                                                                                            MD5:D9D9C79E35945FCA3F9D9A49378226E7
                                                                                                            SHA1:4544A47D5B9765E5717273AAFF62724DF643F8F6
                                                                                                            SHA-256:18CBD64E56CE58CE7D1F67653752F711B30AD8C4A2DC4B0DE88273785C937246
                                                                                                            SHA-512:B0A9CEFAC7B4140CC07E880A336DCBAB8B6805E267F4F8D9423111B95E4D13544D8952D75AB51ADE9F6DACE93A5425E6D41F42C2AA88D3A3C233E340EE785EB9
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#.........R....................lf.......................................... ......................@..w.......................................<....................................................................................text...$...........................`.P`.data... ...........................@.0..rdata...J.......L..................@.`@/4..................................@.0@.bss....h....0........................`..edata..w....@......................@.0@.idata..............................@.0..CRT....,............4..............@.0..tls.... ............6..............@.0..reloc..<............8..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-5SKEM.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):165739
                                                                                                            Entropy (8bit):6.062324507479428
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:wqozCom32MhGf+cPlDQ6jGQGExqLsGXnru+5FMCp:wqxo4LGlDQ6yQGsqLsGXruSFMCp
                                                                                                            MD5:E2F18B37BC3D02CDE2E5C15D93E38418
                                                                                                            SHA1:1A6C58F4A50269D3DB8C86D94B508A1919841279
                                                                                                            SHA-256:7E555192331655B04D18F40E8F19805670D56FC645B9C269B9F10BF45A320C97
                                                                                                            SHA-512:61AB4F3475B66B04399111B106C3F0A744DC226A59EB03C134AE9216A9EA0C7F9B3B211148B669C32BAFB05851CC6C18BD69EA431DBC2FE25FE470CB4786FD17
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........0.........#.........,.....................n................................&......... .........................y....0...D..................................................................................x7...............................text...............................`.P`.data... ...........................@.0..rdata..............................@.`@/4......Dg.......h..................@.0@.bss....(....p........................`..edata..y............8..............@.0@.idata...D...0...F..................@.0..CRT....,............ ..............@.0..tls.... ............"..............@.0..reloc...............$..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-5V6CK.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):64724
                                                                                                            Entropy (8bit):5.910307743399971
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:U84Oo2LbVtfNsqnYPL7cZ690d+yCG7QiZggD0Spo3YfklbTRPmK0Lz:Uf2LbVtfDGLr2xk4DU3YfkhTRuKW
                                                                                                            MD5:7AF455ADEA234DEA33B2A65B715BF683
                                                                                                            SHA1:F9311CB03DCF50657D160D89C66998B9BB1F40BA
                                                                                                            SHA-256:6850E211D09E850EE2510F6EAB48D16E0458BCE35916B6D2D4EB925670465778
                                                                                                            SHA-512:B8AC3E2766BB02EC37A61218FAF60D1C533C0552B272AF6B41713C17AB69C3731FA28F3B5D73766C5C59794D5A38CC46836FD93255DF38F7A3ABD219D51BB41A
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....h........................lm.........................P................ .................................."...0..`....................@............................... .......................................................text...dg.......h..................`.P`.data...0............l..............@.0..rdata...............n..............@.@@/4......\............z..............@.0@.bss....,.............................`..edata..............................@.0@.idata...".......$..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...`....0......................@.0..reloc.......@......................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-6FIBU.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):174543
                                                                                                            Entropy (8bit):6.3532700320638025
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:F4yjzZ0q/RZ1vAjhByeVjxSTi7p2trtfKomZr8jPnJe0rkUlRGptdKH69T5GNg9v:FjjE0PCn3baPXuD7
                                                                                                            MD5:65D8CB2733295758E5328E5A3E1AFF15
                                                                                                            SHA1:F2378928BB9CCFBA566EC574E501F6A82A833143
                                                                                                            SHA-256:E9652AB77A0956C5195970AF39778CFC645FC5AF22B95EED6D197DC998268642
                                                                                                            SHA-512:BF6AA62EA82DFDBE4BC42E4D83469D3A98BFFE89DBAB492F8C60552FCB70BBA62B8BF7D4BDAB4045D9BC1383A423CAA711E818F2D8816A80B056BC65A52BC171
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........g......#...............................c................................6......... .........................Y@......................................0....................................................................................text...D...........................`.P`.data...............................@.`..rdata..0".......$..................@.`@/4.......Z.......\..................@.0@.bss....t....p........................`..edata..Y@.......B...8..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..0...........................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-7S3H1.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):65181
                                                                                                            Entropy (8bit):6.085572761520829
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:1JrcDWlFkbBRAFqDnlLKgprfElH0hiGoeLXRcW/VB6dkhxLemE5ZHvIim3YWATMk:XrTk3iqzlLKgp6H38B6u0Uim3Y15P
                                                                                                            MD5:98A49CC8AE2D608C6E377E95833C569B
                                                                                                            SHA1:BA001D8595AC846D9736A8A7D9161828615C135A
                                                                                                            SHA-256:213B6ADDAB856FEB85DF1A22A75CDB9C010B2E3656322E1319D0DEF3E406531C
                                                                                                            SHA-512:C9D756BB127CAC0A43D58F83D01BFE1AF415864F70C373A933110028E8AB0E83612739F2336B28DC44FAABA6371621770B5BCC108DE7424E31378E2543C40EFC
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........[......#...............................d.........................p................ .............................. .......P..P....................`..x............................@.......................!..\............................text...D...........................`.P`.data...D...........................@.0..rdata..l...........................@.0@/4......p/.......0..................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....0....0......................@.0..tls.... ....@......................@.0..rsrc...P....P......................@.0..reloc..x....`......................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-99TKC.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1400653
                                                                                                            Entropy (8bit):6.518664771362139
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:YiyJaaUAnPfI1FO1Fm5wukMdBdfrwQAZV2R6yeYH3bhlN77S+N+RoQ8J0fnuVj1z:4aaUAnI1FOFmZkM1i2n5h++N+RCJ0fA1
                                                                                                            MD5:1124DD59526216DF405C4514949CCB54
                                                                                                            SHA1:8226C42D98B9D3C0E83A11167963D5B38B6DDD45
                                                                                                            SHA-256:A9016D40755966C547464430D3509CC3CFE9DD5D8B53F8B694B42B0D7141E5D6
                                                                                                            SHA-512:F007FBD3FBA7E3966FAF5F9D857ADB6607A99CD6FD8FFDF14E858BE6C4A0B155A9197BAA9D1DF0A28AF733F78F8A7346357EBAA7D3BD0C3934BF815CC51A930D
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........F.........#.........B... .................q.................................y........ ...................... .......................................0..t............................ ......................8................................text...............................`.P`.data...............................@.`..rdata..Tn... ...p..................@.`@/4.......c.......d...x..............@.0@.bss..................................`..edata....... ......................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..reloc..t....0......................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-9EKQS.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):259014
                                                                                                            Entropy (8bit):6.075222655669795
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:O4WGkOMuCsxvlBUlthMP3SyyqX3/yfGG7ca/RM3yH8Tw/yr+Jg8jGCzftns9/1tA:tWGkOME304A7ca/RNyN8jGCzftngvA
                                                                                                            MD5:B4FDE05A19346072C713BE2926AF8961
                                                                                                            SHA1:102562DE2240042B654C464F1F22290676CB6E0F
                                                                                                            SHA-256:513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
                                                                                                            SHA-512:9F3AEE3EBF04837CEEF08938795DE0A044BA6602AACB98DA0E038A163119C695D9CC2CA413BD709196BFD3C800112ABABC3AF9E2E9A0C77D88BD4A1C88C2ED27
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..............................xe.........................@.......{........ .........................+;......L.......0.................... ..8...................................................h................................text...............................`.P`.data...$...........................@.0..rdata.../.......0..................@.`@/4.......l.......n..................@.0@.bss....,.............................`..edata..+;.......<...d..............@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...0...........................@.0..reloc..8.... ......................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-B1QEF.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1606715
                                                                                                            Entropy (8bit):6.432733703292802
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:qi0l5PSkLHq6M30RmWXD4cE/TpXy4CEJQwAj7/RyYijPIDEFIgX3zdHyqFMa:eSqVMkRm3dyEYiGEFTdfFN
                                                                                                            MD5:34007E6F8E18D371DBFF19A279B008C3
                                                                                                            SHA1:58B091382EB981587CA6FDFAFC314E458598B8BB
                                                                                                            SHA-256:44D65416BB7EC0F43CE91927B33002CDF3E56038562F83E602C19A20C48AEB7D
                                                                                                            SHA-512:37F6338CDEA6220CF9079F25F760A2C7A50A01BD6A98C01798D20203F5A56FA0F37CDD7E91AE246C1077A34EC4FA42E9D2305ADA7CA8945E6591C8E26164C906
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#.............*................xm......................................... .........................9........z......`.......................<....................................................................................text...D...........................`.P`.data...............................@.`..rdata..4...........................@.`@/4......D...........................@.0@.bss.....)............................`..edata..9........ ...|..............@.0@.idata...z.......|..................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...`...........................@.0..reloc..<............ ..............@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-C2MKK.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):441975
                                                                                                            Entropy (8bit):6.372283713065844
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:KOjlUsee63NlC1NiiA0XcQj0S5XTJAmLYWB6EYWOsIEvCmiu:DRGNq0wdAmcWBGsIEviu
                                                                                                            MD5:6CD78C8ADD1CFC7CBB85E2B971FCC764
                                                                                                            SHA1:5BA22C943F0337D2A408B7E2569E7BF53FF51CC5
                                                                                                            SHA-256:C75587D54630B84DD1CA37514A77D9D03FCE622AEA89B6818AE8A4164F9F9C73
                                                                                                            SHA-512:EAFDF6E38F63E6C29811D7D05821824BDAAC45F8B681F5522610EEBB87F44E9CA50CE690A6A3AA93306D6A96C751B2210F96C5586E00E323F26F0230C0B85301
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....~.........................a......................... ......A3........ ..........................'......................................|....................................................................................text...4|.......~..................`.P`.data...............................@.`..rdata..............................@.`@/4..................................@.0@.bss..................................`..edata...'.......(...R..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..|...........................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-CPOJD.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):706136
                                                                                                            Entropy (8bit):6.517672165992715
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:8TCY9iAO+e+693qCfG0l2KDIq4N1i9aqi+:8piAO+e+69ne02KDINN1MaZ+
                                                                                                            MD5:3A8A13F0215CDA541EC58F7C80ED4782
                                                                                                            SHA1:085C3D5F62227319446DD61082919F6BE1EFD162
                                                                                                            SHA-256:A397C9C2B5CAC7D08A2CA720FED9F99ECE72078114FFC86DF5DBC2B53D5FA1AD
                                                                                                            SHA-512:4731D7ABB8DE1B77CB8D3F63E95067CCD7FAFED1FEB508032CB41EE9DB3175C69E5D244EEE8370DE018140D7B1C863A4E7AFBBE58183294A0E7CD98F2A8A0EAD
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.......Q......#..............................Pe......................... ................ .........................A.......L............................... ,......................................................,............................text...8...........................`.P`.data...............................@.P..rdata..............................@.`@/4......\............x..............@.0@.bss..................................`..edata..A........ ...^..............@.0@.idata..L............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc.. ,..........................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-DNQ2U.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1222671
                                                                                                            Entropy (8bit):6.4094687832944235
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:s2AYizbUVBV0u6ydQXUPIUJL0VGQRhORRajBbGN2JtYI3+0EIZy3fh6UtvR6YO3c:1AYhVBBsUJLORhH0QtYI33EuS1tvzO3c
                                                                                                            MD5:C12734BD4C4C33E788FE7FC6C1E47522
                                                                                                            SHA1:F474AB91C5DECD6D533C1DA016DC65800DBC5E9D
                                                                                                            SHA-256:9FFCD35CAEC4B199481620C82B8E2AFA9AE26F557D9A99C18B7DC23E61D59131
                                                                                                            SHA-512:AE948D3AB723144D2546F8B3401805CCFFBB312A14AD8D314685FB1EA85E74955F1372FEFE177571F518F51E66783B9813F876B93B35ED6E27C0E4743D59FA80
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........z..(......#.........v....................|h.................................*........ ......................`.......0.......p...........................k...........................`......................d5..`............................text...X...........................`.P`.data...|...........................@.`..rdata...N.......P..................@.`@/4......l....0......................@.0@.bss.... ....@........................`..edata.......`......................@.0@.idata.......0... ..................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc........p......................@.0..reloc...k.......l..................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-EAOA0.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1374336
                                                                                                            Entropy (8bit):6.544219940913283
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:XxPyiEuJLPKpBW3n41iniSpKMFH/ZNYTujQb/XseSGwUCowrnDKHYHdT8s5ly8:B5XlHdxV
                                                                                                            MD5:86CE128833ECB1AC52EBED17993C1B56
                                                                                                            SHA1:C7FC8F88E908591CAAA9F25B954B06E814576158
                                                                                                            SHA-256:B22B57B0B6E0FD531CEA32CED338B9D12DD018D09D0B95CD61F166F64253B355
                                                                                                            SHA-512:1B8BEE2668599E33EA6F8121F7584431211512D6BCC8B409EAE162FBD6B505B0F4D0CD984AC8439C515BE4058A20270954D5DCBC62D16E95ED31A8225500F839
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........L......#.....0...................@.....k.................................W........ .........................I....P...................................}...................................................i...............................text..../.......0..................`.P`.data...<....@.......4..............@.@..rdata..,....P.......6..............@.`@/4.......@...@...B...&..............@.0@.bss..................................`..edata..I............h..............@.0@.idata.......P......................@.0..CRT....,....p.......&..............@.0..tls.... ............(..............@.0..reloc...}.......~...*..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-GDGEQ.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1055417
                                                                                                            Entropy (8bit):7.312780382733874
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:1MWKOBAUZLYRwPKDOlbbT0pGavkg3NyeuQ6l9fHOfc4Z:1dBAUZLYWiDOSpGaXBuQQ9u3Z
                                                                                                            MD5:F721A6B0A1590D55EADEAE81B8F629AA
                                                                                                            SHA1:8C6ED37D1D926D949161FF5F3B5682A4068644CE
                                                                                                            SHA-256:8E2EB9BAC3F5C37D91BFF7F04420DDA55CD369178C73ADF11E6C4DD7E597260F
                                                                                                            SHA-512:2FFDB23615EE72DF600248D6B9DED0E25DAE12D8424557EC07589F34601C00421CF32A748CB564AFCED99B419805E43BF4D6D05EC33D581DBD03F9AF853005E8
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........F......#.............................. f.......................................... ...................... ..u....0..<....`.......................p...............................P......................T1...............................text...D...........................`.P`.data...T...........................@.0..rdata..............................@.`@/4......TI.......J..................@.0@.bss..................................`..edata..u.... ......................@.0@.idata..<....0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..rsrc........`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-GIR45.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):248694
                                                                                                            Entropy (8bit):6.346971642353424
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:MUijoruDtud8kVtHvBcEcEJAbNkhJIXM3rhv:Cy8kTHvBcE1kI3rhv
                                                                                                            MD5:39A15291B9A87AEE42FBC46EC1FE35D6
                                                                                                            SHA1:AADF88BBB156AD3CB1A2122A3D6DC017A7D577C1
                                                                                                            SHA-256:7D4546773CFCC26FEC8149F6A6603976834DC06024EEAC749E46B1A08C1D2CF4
                                                                                                            SHA-512:FF468FD93EFDB22A20590999BC9DD68B7307BD406EB3746C74A3A472033EA665E6E3F778325849DF9B0913FFC7E4700E2BEED4666DA6E713D984E92F9DB5F679
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....x.........................i.......................................... ......................`..u........1...................................................................................................................text...Tw.......x..................`.P`.data................|..............@.`..rdata..t;.......<...~..............@.`@/4.......f.......h..................@.0@.bss.........P........................`..edata..u....`......."..............@.0@.idata...1.......2...>..............@.0..CRT....,............p..............@.0..tls.... ............r..............@.0..reloc...............t..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-LMLE4.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):171891
                                                                                                            Entropy (8bit):6.538736066456448
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:TRRma2qUCPK2rK6GA7AXPkqrAncdGcaXyRMOlJYYM0kUnha:l+FickwRMO6
                                                                                                            MD5:008B7C32B61496AE1A63F112CB79AA01
                                                                                                            SHA1:C2DA5E4A373053AE693CB70FBC86C1C119995283
                                                                                                            SHA-256:B79187454CFDB9727EE902E8FBB0E49FA2DD09EB6699A03F1ED585FFB0911657
                                                                                                            SHA-512:EC5F664132EDE7F9D21107118C5BA333F2C30DE0F441F817A37F11C997EE5DD4D1712E4A089923F96AE942E797D7938AA3267584727EF3062E740BD247B70990
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........=......#.....v.........................i................................T......... .................................@................................6..................................................@................................text....u.......v..................`.P`.data... ............z..............@.0..rdata...............|..............@.`@/4......HB...0...D..................@.0@.bss..................................`..edata...............F..............@.0@.idata..@............R..............@.0..CRT....,............Z..............@.0..tls.... ............\..............@.0..reloc...6.......8...^..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-M2RP0.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):291245
                                                                                                            Entropy (8bit):6.234245376773595
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:dg6RpdbWJbnZ9zwvNOmdcm0sn+g2eqZq6eadTD8:UJ99zwvNOmdcm0s+g1qZQadTD8
                                                                                                            MD5:2D8A0BC588118AA2A63EED7BF6DFC8C5
                                                                                                            SHA1:7FB318DC21768CD62C0614D7AD773CCFB7D6C893
                                                                                                            SHA-256:707DEE17E943D474FBE24EF5843A9A37E923E149716CAD0E2693A0CC8466F76E
                                                                                                            SHA-512:A296A8629B1755D349C05687E1B9FAE7ED5DE14F2B05733A7179307706EA6E83F9F9A8729D2B028EDDC7CAF8C8C30D69AD4FEA6EC19C66C945772E7A34F100DE
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........h..@......#.........d....................4i................................<......... ......................p..5.......t...................................................................................<................................text...T...........................`.P`.data...0...........................@.0..rdata...v.......x..................@.`@/4...........@......................@.0@.bss.........`........................`..edata..5....p.......6..............@.0@.idata..t............>..............@.0..CRT....,............F..............@.0..tls.... ............H..............@.0..reloc...............J..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-MOJAC.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1545467
                                                                                                            Entropy (8bit):6.529166035051036
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:f//9GOTyiDI4jm0B4/W1EkWLENaQemY0y6hW98cA4q0v4gf:bVYKW983e
                                                                                                            MD5:7F95672216191C57573D049090125ECE
                                                                                                            SHA1:2C9D065A1F28F511149C3DBA219B52004FC51262
                                                                                                            SHA-256:689991853CD09032089F52656C9508061F105FAB5727F250890563EBF2656A45
                                                                                                            SHA-512:FD0DD095D5D76400FA97F5B3231D16570284EC31D04E2E9F3278F378233F316D4D91715898BF8A1B81803E613B97B2FE5FB064A9BD6BAE6E08AD3CAB9613E61B
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........~.........#.....4...z...............P.....o.......................................... ..........................p...0...............................p...t...........................`.......................2..D............................text....2.......4..................`.P`.data........P... ...8..............@.`..rdata..@....p.......X..............@.`@/4.......M...P...N...2..............@.0@.bss..................................`..edata...p.......r..................@.0@.idata.......0......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..reloc...t...p...v..................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-NQBP8.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):397808
                                                                                                            Entropy (8bit):6.396146399966879
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:q6WhfTNgMVVPwCxpk76CcIAg8TQfn9l1bBE3A97vupNBXH:q60TvSGpk7eIAg489l1S3A97vkVH
                                                                                                            MD5:E0747D2E573E0A05A7421C5D9B9D63CC
                                                                                                            SHA1:C45FC383F9400F8BBE0CA8E6A7693AA0831C1DA7
                                                                                                            SHA-256:25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
                                                                                                            SHA-512:201EE6B2FD8DCD2CC873726D56FD84132A4D8A7434B581ABD35096A5DE377009EC8BC9FEA2CC223317BBD0D971FB1E61610509E90B76544BDFF069E0D6929AED
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\4......n......#......................... ....Dk.......................................... ..........................5...0...............................`..T............................P.......................2...............................text...D...........................`.P`.data...X1... ...2..................@.`..rdata..x....`.......F..............@.`@/4..................................@.0@.bss....`.............................`..edata...5.......6..................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..T....`......................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-OBSAB.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):98626
                                                                                                            Entropy (8bit):6.478068795827396
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:HDuZqv5WNPuWOD+QZ7OWN4oOlatKZ2XGnToIfQIOEIOGxpdo4VoWsj:r9P6WN4wyTBfGqGxpdo4VoB
                                                                                                            MD5:70CA53E8B46464CCF956D157501D367A
                                                                                                            SHA1:AE0356FAE59D9C2042270E157EA0D311A831C86A
                                                                                                            SHA-256:4A7AD2198BAACC14EA2FFD803F560F20AAD59C3688A1F8AF2C8375A0D6CC9CFE
                                                                                                            SHA-512:CB1D52778FE95D7593D1FDBE8A1125CD19134973B65E45F1E7D21A6149A058BA2236F4BA90C1CE01B1B0AFAD4084468D1F399E98C1F0D6F234CBA023FCC7B4AE
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....='=.x..=......#.........t.....................c.......................................... .................................8...............................0...................................................0................................text...t...........................`.P`.data... ...........................@.0..rdata...M.......N..................@.`@/4......t&...P...(...4..............@.0@.bss..................................`..edata...............\..............@.0@.idata..8............f..............@.0..CRT....,............n..............@.0..tls.... ............p..............@.0..reloc..0............r..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-OO36J.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):92019
                                                                                                            Entropy (8bit):5.974787373427489
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:+j80nVGEhJyBnvQXUDkUPoWCSgZosDGMsZLXWU9+HN4yoRtJJ:C8IgtyUDkBWIZosDGDBXWPHN4yoRtJJ
                                                                                                            MD5:CC7DAD980DD04E0387795741D809CBF7
                                                                                                            SHA1:A49178A17B1C72AD71558606647F5011E0AA444B
                                                                                                            SHA-256:0BAE9700E29E4E7C532996ADF6CD9ADE818F8287C455E16CF2998BB0D02C054B
                                                                                                            SHA-512:E4441D222D7859169269CA37E491C37DAA6B3CDD5F4A05A0A246F21FA886F5476092E64DFF88890396EF846B9E8D2880E33F1F594CD61F09023B3EF4CD573EA3
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(....0..7......#.........,.....................m................................B......... ...................... .......0...*...........................................................p......................t5...............................text..............................`.P`.data... ...........................@.0..rdata..............................@.`@/4.......(.......*..................@.0@.bss..................................`..edata....... ......................@.0@.idata...*...0...,..................@.0..CRT....,....`....... ..............@.0..tls.... ....p......."..............@.0..rsrc................$..............@.0..reloc...............(..............@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-P8TLU.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):26562
                                                                                                            Entropy (8bit):5.606958768500933
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:EaiL7abI5n6MnFUKs7qfSWWmJZLfw2tnPrPkV:4XabI5n5niKsOwmnU
                                                                                                            MD5:E9C7068B3A10C09A283259AA1B5D86F2
                                                                                                            SHA1:3FFE48B88F707AA0C947382FBF82BEE6EF7ABB78
                                                                                                            SHA-256:06294F19CA2F7460C546D4D0D7B290B238C4959223B63137BB6A1E2255EDA74F
                                                                                                            SHA-512:AC4F521E0F32DBF104EF98441EA3403F0B7D1B9D364BA8A0C78DAA056570649A2B45D3B41F0B16A1A73A09BAF2870D23BD843E6F7E9149B697F7E6B7222E0B81
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7G7.Z..V......#.....(...V...............@.....m.......................................... .........................O...............p.......................l.......................................................@............................text....&.......(..................`.P`.data...0....@.......,..............@.0..rdata.......P......................@.0@/4...........`.......6..............@.0@.bss.........p........................`..edata..O............B..............@.0@.idata...............D..............@.0..CRT....,............N..............@.0..tls.... ............P..............@.0..rsrc...p............R..............@.0..reloc..l............V..............@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-Q3AP0.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):140752
                                                                                                            Entropy (8bit):6.52778891175594
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:Uw0ucwd0gZ36KErK+i+35KwO/hVQN6ulXazERIdF+aP2je8g5og96:ZlcWpErK+i9zEQF+aPKZo6
                                                                                                            MD5:A8F646EB087F06F5AEBC2539EB14C14D
                                                                                                            SHA1:4B1FBAB6C3022C3790BC0BD0DD2D9F3BA8FF1759
                                                                                                            SHA-256:A446F09626CE7CE63781F5864FDD6064C25D9A867A0A1A07DCECB4D5044B1C2B
                                                                                                            SHA-512:93BB40C5FE93EF97FE3BC82A0A85690C7B434BD0327BB8440D51053005A5E5B855F9FCC1E9C676C43FF50881F860817FF0764C1AD379FC08C4920AA4A42C5DBC
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....T...................p.....a.......................................... ......................0.......@.......p..@.......................T............................`......................8B...............................text....R.......T..................`.P`.data........p.......X..............@.`..rdata...F.......H...\..............@.`@/4......L3.......4..................@.0@.bss....@.............................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...@....p......................@.0..reloc..T...........................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-Q9119.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):268404
                                                                                                            Entropy (8bit):6.265024248848175
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:yL8lD0bVAYhILCN0z+tUbO01CDXQ6yw+RseNYWFZvc/NNap:1Uy+tUbO01CDXQ6ywcYWFZvCNNap
                                                                                                            MD5:C4C23388109D8A9CC2B87D984A1F09B8
                                                                                                            SHA1:74C9D9F5588AFE721D2A231F27B5415B4DEF8BA6
                                                                                                            SHA-256:11074A6FB8F9F137401025544121F4C3FB69AC46CC412469CA377D681D454DB3
                                                                                                            SHA-512:060F175A87FBDF3824BEED321D59A4E14BE131C80B7C41AFF260291E69A054F0671CC67E2DDA3BE8A4D953C489BC8CDE561332AA0F3D82EF68D97AFCF115F6A3
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....V...................p....4j.......................................... ......................`.......`..xk..............................D....................................................k...............................text....T.......V..................`.P`.data... ....p.......Z..............@.0..rdata..X ......."...\..............@.`@/4......0............~..............@.0@.bss....H....P........................`..edata.......`......................@.0@.idata..xk...`...l..................@.0..CRT....,............x..............@.0..tls.... ............z..............@.0..reloc..D............|..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-R29H0.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):171848
                                                                                                            Entropy (8bit):6.579154579239999
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:LrhG5+L/AcY680k2SxVqetJP5Im+A9mNoWqlM5ywwoS:LV6+LA0G0enP5PFYOWi6w1
                                                                                                            MD5:236A679AB1B16E66625AFBA86A4669EB
                                                                                                            SHA1:73AE354886AB2609FFA83429E74D8D9F34BD45F2
                                                                                                            SHA-256:B1EC758B6EDD3E5B771938F1FEBAC23026E6DA2C888321032D404805E2B05500
                                                                                                            SHA-512:C19FA027E2616AC6B4C18E04959DFE081EF92F49A11260BA69AFE10313862E8FEFF207B9373A491649928B1257CF9B905F24F073D11D71DCD29B0F9ADAC80248
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ......;......#...............................c................................q......... .........................,.......<.......H...........................................................................(................................text...............................`.P`.data... ...........................@.0..rdata..|y.......z..................@.`@/4......HN...@...P... ..............@.0@.bss..................................`..edata..,............p..............@.0@.idata..<............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...H...........................@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-UB5BR.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):235032
                                                                                                            Entropy (8bit):6.398850087061798
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:fWa7MVS9CtXk4wP0filbZ5546Qx/cwx/svQbKDazN1x:3MVTtXlwP0f0rK6QxEYz
                                                                                                            MD5:E1D0ACD1243F9E59491DC115F4E379A4
                                                                                                            SHA1:5E9010CFA8D75DEFBDC3FB760EB4229ACF66633B
                                                                                                            SHA-256:FD574DA66B7CCAE6F4DF31D5E2A2C7F9C5DAE6AE9A8E5E7D2CA2056AB29A8C4F
                                                                                                            SHA-512:392AA2CF6FBC6DAA6A374FD1F34E114C21234061855413D375383A97951EC5DDDF91FD1C431950045105746898E77C5C5B4D217DF0031521C69403EA6ADE5C27
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........Y......#..............................tp.......................................... .........................$...............................................................................................<............................text...............................`.P`.data...L...........................@.0..rdata...1.......2..................@.`@/4.......m... ...n..................@.0@.bss..................................`..edata..$............`..............@.0@.idata...............j..............@.0..CRT....,............t..............@.0..tls.... ............v..............@.0..reloc...............x..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-V3G3E.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):121524
                                                                                                            Entropy (8bit):6.347995296737745
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:9v6EzEhAArrzEYz8V2clMs4v6C7382gYbByUDM6H0ZulNDnt8zXxgf:9T8AArrzDylMs5C738FYbpH0Ent8zBgf
                                                                                                            MD5:6CE25FB0302F133CC244889C360A6541
                                                                                                            SHA1:352892DD270135AF5A79322C3B08F46298B6E79C
                                                                                                            SHA-256:E06C828E14262EBBE147FC172332D0054502B295B0236D88AB0DB43326A589F3
                                                                                                            SHA-512:3605075A7C077718A02E278D686DAEF2E8D17B160A5FEDA8D2B6E22AABFFE0105CC72279ADD9784AC15139171C7D57DBA2E084A0BA22A6118FDBF75699E53F63
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8r>....7......#.....^...................p.....n.........................0................ ........................._.................................... .......................................................................................text...X].......^..................`.P`.data... ....p.......b..............@.0..rdata........... ...d..............@.`@/4...............0..................@.0@.bss....(.............................`..edata.._...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc....... ......................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-V9OMC.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):101544
                                                                                                            Entropy (8bit):6.237382830377451
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:nrYjG+7rjCKdiZ4axdj+nrlv3ecaQZ93yQNMRP2Ea5JPTxi0C9A046QET:M9eKdiBxUnfb3yZROEYJPTxib9A5ET
                                                                                                            MD5:E13FCD8FB16E483E4DE47A036687D904
                                                                                                            SHA1:A54F56BA6253D4DECAAE3DE8E8AC7607FD5F0AF4
                                                                                                            SHA-256:0AC1C17271D862899B89B52FAA13FC4848DB88864CAE2BF4DC7FB81C5A9A49BF
                                                                                                            SHA-512:38596C730B090B19E34183182273146C3F164211644EBC0A698A83651B2753F7D9B1D6EE477D1798BD7219B5977804355E2F57B1C3013BF3D498BF96DEC9D02E
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#.........`....................Hk.................................$........ ......................`..-....p......................................................................................Lt...............................text...............................`.P`.data...L...........................@.0..rdata..............................@.`@/4.......*... ...,..................@.0@.bss.........P........................`..edata..-....`.......*..............@.0@.idata.......p... ...0..............@.0..CRT....,............P..............@.0..tls.... ............R..............@.0..rsrc................T..............@.0..reloc...............X..............@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\is-VJDU6.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):693931
                                                                                                            Entropy (8bit):6.506667977069754
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:pgl0XdgCyZfZ1hTDy4ArwyP5Lt6fEWmOxU:u0NnYZ1hTDy44PTZOG
                                                                                                            MD5:37CE2C67DDCEE507833B9AE784AE515D
                                                                                                            SHA1:711B2AAE989D439CC816D198A3A4A7CDD6A070A3
                                                                                                            SHA-256:7A2BD595F34A25C13E94E4C2CDFB1758E9DE60FA7D497F5755BBBF906E82A0D7
                                                                                                            SHA-512:B8FB5A3D2CA99A661FB35F1C560A283070D28A1E438BF124632D4AD8D2EBE0869DF73F1AB8149DEA1FCA66B0285D28028DF83EF36AB27431ED26176EC2A21FCE
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....Z...|...............p.....b.......................................... ......................p../.......(...............................t....................................................................................text....Y.......Z..................`.P`.data...L....p.......^..............@.0..rdata..x............`..............@.`@/4...........0...0..................@.0@.bss.........`........................`..edata../....p.......2..............@.0@.idata..(............J..............@.0..CRT....,............\..............@.0..tls.... ............^..............@.0..reloc..t........ ...`..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\is-16BHT.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):77357
                                                                                                            Entropy (8bit):6.003890755757059
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:lsg/YB6cIv1UXt5rH+LOjP5jq5d7TEQEHh9XVAkIIOzZso5lo5h4Sr7R0z26sl0S:3Zv1Ot5rH+LCBq53gAkIPaGlGaBz2/
                                                                                                            MD5:8CFCAA001CF641ECF4096FB9A558FCE4
                                                                                                            SHA1:00028C0FA2E271468E2E58EE7310BB5A576E167A
                                                                                                            SHA-256:40B35A3606E6E4807B6F70DBEF21ABF0E52A78D8F44BD5D42CAFF178DC1E6F3A
                                                                                                            SHA-512:0AD1E526687543E8A867F67FD0BFD34B4EF58A77640CA9509C18A1337131EA990B8A75F83BF31D0FFC8F014EA98EC2428733E90DD37E07F3F51D16B3054DBEAE
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...eme_...........#...............................b.........................p.......6........ .............................. ..t............................`..8............................P.......................$...............................text...D...........................`.P`.data...............................@.`..rdata..X........ ..................@.`@/4..................................@.0@.bss..................................`..edata..............................@.0@.idata..t.... ......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..8....`......................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\is-AKUJE.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:current ar archive
                                                                                                            Category:dropped
                                                                                                            Size (bytes):3374
                                                                                                            Entropy (8bit):3.7689758101532167
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:3pn0BGhzP2uaY9aBnNZgHaYwjunvr2Yck/a0BJHx0Lunvr2Hck/a0BJHx0x6XDi5:3d0YraWKa/JjVEJjXJjbJjIr
                                                                                                            MD5:84760273DD8786D0C5CE4A0F13661196
                                                                                                            SHA1:361D22F2D7BD725CD87E9F4D9AE07A7956B3383B
                                                                                                            SHA-256:5C1EB7463681707CC4D6DC89C5408C642B86FF8CE68255472A5FC7DE9634990B
                                                                                                            SHA-512:016D70D5E9ABA12D4584C2B5E35CF50A818B7D279FC48F1B27D561DDB9761AA833D9FE86CBFE39E8941FE9ABCA117A18B82DA1D4EC0DC510CE6A58808F7FE302
                                                                                                            Malicious:false
                                                                                                            Preview:!<arch>./ 1484735519 0 0 0 246 `........:...|...........<...<...z...z........_libpixmap_dll_iname.__head_libpixmap_dll._theme_init.__imp__theme_init._theme_exit.__imp__theme_exit._theme_create_rc_style.__imp__theme_create_rc_style._g_module_check_init.__imp__g_module_check_init.d000005.o/ 1484735519 0 0 644 261 `.L....................idata$4..............................0..idata$5..............................0..idata$7..............................0.........libpixmap.dll....idata$4...........idata$5...........idata$7................................_libpixmap_dll_iname..d000000.o/ 1484735519 0 0 644 326 `.L....................idata$2..............................0..idata$5..............................0..idata$4..............................0....................................................idata$2...........idata$5...........idata$4..................................................__head_libpixmap_dll

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\is-HSILH.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:current ar archive
                                                                                                            Category:dropped
                                                                                                            Size (bytes):3352
                                                                                                            Entropy (8bit):3.75078158408444
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:6wBGhKg2uaYJBnNZgHaYw2unvr2Yck/a0BJHx02unvr2Hck/a0BJHx0I6XDi36rN:X0/WKz/Jj8EJj+JjeJjA
                                                                                                            MD5:47AB84C733EA6B1C3AE6D8C5BCCA1EA0
                                                                                                            SHA1:DEFD81482F542EA644CCEB0A594DAF956B4C2212
                                                                                                            SHA-256:76081993ACE0D56C7B5658445ABCAFD33AEE2F36D569009A0AE96661AF4D5754
                                                                                                            SHA-512:F8340524367DA14DDA881004BFA4326B4FEA5F4C8F2F6309AE5A1D5D1527C0F4F583BA7CE5AC5543898205DAFD42D4A862CB2CB36B3F14508CAD174E3DAA55A1
                                                                                                            Malicious:false
                                                                                                            Preview:!<arch>./ 1484735471 0 0 0 242 `........6...r...........,...,...h...h........_libwimp_dll_iname.__head_libwimp_dll._theme_init.__imp__theme_init._theme_exit.__imp__theme_exit._theme_create_rc_style.__imp__theme_create_rc_style._g_module_check_init.__imp__g_module_check_init.d000005.o/ 1484735471 0 0 644 255 `.L....................idata$4..............................0..idata$5..............................0..idata$7..............................0.........libwimp.dll..idata$4...........idata$5...........idata$7................................_libwimp_dll_iname..d000000.o/ 1484735471 0 0 644 322 `.L....................idata$2..............................0..idata$5..............................0..idata$4..............................0....................................................idata$2...........idata$5...........idata$4..............................................*...__head_libwimp_dll._libwimp_dl

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\is-TV3K6.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):52536
                                                                                                            Entropy (8bit):5.866165289046607
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:7rJKVENojpHEOq0LuMU+Wpkhq3/lZgFl9rPwuRPYckIZme06mv:pKVwolHEOqQuMU+ikcSl9tYckh6o
                                                                                                            MD5:788D9B12D672B2B34933E4872F82340A
                                                                                                            SHA1:F8532FF9F3F7A0D24C5AB03F8E93CAC33FF250D1
                                                                                                            SHA-256:5EE4C18D2A88086BF68B344DB3CCC26EE5A6ADF129172A4CA8E0D96851FBA3A1
                                                                                                            SHA-512:8E4B0FEBF2CD75223AF0FE9A156E77A24CED35D640D8E0B8D18EE7B07AD8CC4E608582CF5A7243F46626114B00B2E28723E8E46DBD30085F310DC64FB33C019E
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5.5...........#.....l.........................i.........................0................ .................................8............................ ..|....................................................................................text....k.......l..................`.P`.data... ............p..............@.0..rdata...............r..............@.`@/4......@...........................@.0@.bss..................................`..edata..............................@.0@.idata..8...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..|.... ......................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\libpixmap.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):52536
                                                                                                            Entropy (8bit):5.866165289046607
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:7rJKVENojpHEOq0LuMU+Wpkhq3/lZgFl9rPwuRPYckIZme06mv:pKVwolHEOqQuMU+ikcSl9tYckh6o
                                                                                                            MD5:788D9B12D672B2B34933E4872F82340A
                                                                                                            SHA1:F8532FF9F3F7A0D24C5AB03F8E93CAC33FF250D1
                                                                                                            SHA-256:5EE4C18D2A88086BF68B344DB3CCC26EE5A6ADF129172A4CA8E0D96851FBA3A1
                                                                                                            SHA-512:8E4B0FEBF2CD75223AF0FE9A156E77A24CED35D640D8E0B8D18EE7B07AD8CC4E608582CF5A7243F46626114B00B2E28723E8E46DBD30085F310DC64FB33C019E
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5.5...........#.....l.........................i.........................0................ .................................8............................ ..|....................................................................................text....k.......l..................`.P`.data... ............p..............@.0..rdata...............r..............@.`@/4......@...........................@.0@.bss..................................`..edata..............................@.0@.idata..8...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..|.... ......................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\libpixmap.dll.a (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:current ar archive
                                                                                                            Category:dropped
                                                                                                            Size (bytes):3374
                                                                                                            Entropy (8bit):3.7689758101532167
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:3pn0BGhzP2uaY9aBnNZgHaYwjunvr2Yck/a0BJHx0Lunvr2Hck/a0BJHx0x6XDi5:3d0YraWKa/JjVEJjXJjbJjIr
                                                                                                            MD5:84760273DD8786D0C5CE4A0F13661196
                                                                                                            SHA1:361D22F2D7BD725CD87E9F4D9AE07A7956B3383B
                                                                                                            SHA-256:5C1EB7463681707CC4D6DC89C5408C642B86FF8CE68255472A5FC7DE9634990B
                                                                                                            SHA-512:016D70D5E9ABA12D4584C2B5E35CF50A818B7D279FC48F1B27D561DDB9761AA833D9FE86CBFE39E8941FE9ABCA117A18B82DA1D4EC0DC510CE6A58808F7FE302
                                                                                                            Malicious:false
                                                                                                            Preview:!<arch>./ 1484735519 0 0 0 246 `........:...|...........<...<...z...z........_libpixmap_dll_iname.__head_libpixmap_dll._theme_init.__imp__theme_init._theme_exit.__imp__theme_exit._theme_create_rc_style.__imp__theme_create_rc_style._g_module_check_init.__imp__g_module_check_init.d000005.o/ 1484735519 0 0 644 261 `.L....................idata$4..............................0..idata$5..............................0..idata$7..............................0.........libpixmap.dll....idata$4...........idata$5...........idata$7................................_libpixmap_dll_iname..d000000.o/ 1484735519 0 0 644 326 `.L....................idata$2..............................0..idata$5..............................0..idata$4..............................0....................................................idata$2...........idata$5...........idata$4..................................................__head_libpixmap_dll

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\libwimp.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):77357
                                                                                                            Entropy (8bit):6.003890755757059
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:lsg/YB6cIv1UXt5rH+LOjP5jq5d7TEQEHh9XVAkIIOzZso5lo5h4Sr7R0z26sl0S:3Zv1Ot5rH+LCBq53gAkIPaGlGaBz2/
                                                                                                            MD5:8CFCAA001CF641ECF4096FB9A558FCE4
                                                                                                            SHA1:00028C0FA2E271468E2E58EE7310BB5A576E167A
                                                                                                            SHA-256:40B35A3606E6E4807B6F70DBEF21ABF0E52A78D8F44BD5D42CAFF178DC1E6F3A
                                                                                                            SHA-512:0AD1E526687543E8A867F67FD0BFD34B4EF58A77640CA9509C18A1337131EA990B8A75F83BF31D0FFC8F014EA98EC2428733E90DD37E07F3F51D16B3054DBEAE
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...eme_...........#...............................b.........................p.......6........ .............................. ..t............................`..8............................P.......................$...............................text...D...........................`.P`.data...............................@.`..rdata..X........ ..................@.`@/4..................................@.0@.bss..................................`..edata..............................@.0@.idata..t.... ......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..8....`......................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\2.10.0\engines\libwimp.dll.a (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:current ar archive
                                                                                                            Category:dropped
                                                                                                            Size (bytes):3352
                                                                                                            Entropy (8bit):3.75078158408444
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:6wBGhKg2uaYJBnNZgHaYw2unvr2Yck/a0BJHx02unvr2Hck/a0BJHx0I6XDi36rN:X0/WKz/Jj8EJj+JjeJjA
                                                                                                            MD5:47AB84C733EA6B1C3AE6D8C5BCCA1EA0
                                                                                                            SHA1:DEFD81482F542EA644CCEB0A594DAF956B4C2212
                                                                                                            SHA-256:76081993ACE0D56C7B5658445ABCAFD33AEE2F36D569009A0AE96661AF4D5754
                                                                                                            SHA-512:F8340524367DA14DDA881004BFA4326B4FEA5F4C8F2F6309AE5A1D5D1527C0F4F583BA7CE5AC5543898205DAFD42D4A862CB2CB36B3F14508CAD174E3DAA55A1
                                                                                                            Malicious:false
                                                                                                            Preview:!<arch>./ 1484735471 0 0 0 242 `........6...r...........,...,...h...h........_libwimp_dll_iname.__head_libwimp_dll._theme_init.__imp__theme_init._theme_exit.__imp__theme_exit._theme_create_rc_style.__imp__theme_create_rc_style._g_module_check_init.__imp__g_module_check_init.d000005.o/ 1484735471 0 0 644 255 `.L....................idata$4..............................0..idata$5..............................0..idata$7..............................0.........libwimp.dll..idata$4...........idata$5...........idata$7................................_libwimp_dll_iname..d000000.o/ 1484735471 0 0 644 322 `.L....................idata$2..............................0..idata$5..............................0..idata$4..............................0....................................................idata$2...........idata$5...........idata$4..............................................*...__head_libwimp_dll._libwimp_dl

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\include\gdkconfig.h (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:C source, ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):620
                                                                                                            Entropy (8bit):5.054875418324422
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:U+LCtu+jrgt6FzHyshRrv0FjiFqnfY7FMnfY//Gao5wroMPgyp+:XLklm6Fb9Hv8aqnEFMnNGkyp+
                                                                                                            MD5:D8133FE722BAB5266BA6666638468190
                                                                                                            SHA1:0B172DBBB3E5F159908CA979D0046BB23F164EF5
                                                                                                            SHA-256:53CC3D1AC33BC613538E0D7BCBDE66DABEACB2CA6550E84B26D8EACAEAF3880E
                                                                                                            SHA-512:51080BC678BD1E6E45ADE6694D94603D62DEF65505D25658A1C90BFC3D7E652F2C3CE606817F4CB0626701BC63D8C021A5A78C923F1B633B153F8D26CA2D32B8
                                                                                                            Malicious:false
                                                                                                            Preview:/* gdkconfig.h. *. * This is a generated file. Please modify `configure.in'. */..#ifndef GDKCONFIG_H.#define GDKCONFIG_H..#ifdef __cplusplus.extern "C" {.#endif /* __cplusplus */..#ifndef GSEAL./* introduce GSEAL() here for all of Gdk and Gtk+ without the need to modify GLib */.# ifdef GSEAL_ENABLE.# define GSEAL(ident) _g_sealed__ ## ident.# else.# define GSEAL(ident) ident.# endif.#endif /* !GSEAL */...#define GDK_NATIVE_WINDOW_POINTER..#define GDK_WINDOWING_WIN32..#define GDK_HAVE_WCHAR_H 1.#define GDK_HAVE_WCTYPE_H 1..#ifdef __cplusplus.}.#endif /* __cplusplus */..#endif /* GDKCONFIG_H */.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\include\is-AQTVQ.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:C source, ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):620
                                                                                                            Entropy (8bit):5.054875418324422
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:U+LCtu+jrgt6FzHyshRrv0FjiFqnfY7FMnfY//Gao5wroMPgyp+:XLklm6Fb9Hv8aqnEFMnNGkyp+
                                                                                                            MD5:D8133FE722BAB5266BA6666638468190
                                                                                                            SHA1:0B172DBBB3E5F159908CA979D0046BB23F164EF5
                                                                                                            SHA-256:53CC3D1AC33BC613538E0D7BCBDE66DABEACB2CA6550E84B26D8EACAEAF3880E
                                                                                                            SHA-512:51080BC678BD1E6E45ADE6694D94603D62DEF65505D25658A1C90BFC3D7E652F2C3CE606817F4CB0626701BC63D8C021A5A78C923F1B633B153F8D26CA2D32B8
                                                                                                            Malicious:false
                                                                                                            Preview:/* gdkconfig.h. *. * This is a generated file. Please modify `configure.in'. */..#ifndef GDKCONFIG_H.#define GDKCONFIG_H..#ifdef __cplusplus.extern "C" {.#endif /* __cplusplus */..#ifndef GSEAL./* introduce GSEAL() here for all of Gdk and Gtk+ without the need to modify GLib */.# ifdef GSEAL_ENABLE.# define GSEAL(ident) _g_sealed__ ## ident.# else.# define GSEAL(ident) ident.# endif.#endif /* !GSEAL */...#define GDK_NATIVE_WINDOW_POINTER..#define GDK_WINDOWING_WIN32..#define GDK_HAVE_WCHAR_H 1.#define GDK_HAVE_WCTYPE_H 1..#ifdef __cplusplus.}.#endif /* __cplusplus */..#endif /* GDKCONFIG_H */.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\modules\is-6V5CI.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):354415
                                                                                                            Entropy (8bit):6.210063535561321
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:5o2gMoQeMrpP7cPuFtMpMN/t+2rWkTLF4q5lajFqt1D7TO1ex:5o2gMobMtcyCpG1+2rWkTLF4q5lajFq5
                                                                                                            MD5:FF1CB676E2BDD7F5FC8F407D6B9BEFF0
                                                                                                            SHA1:1E7BA04BB81EC9AF48526626047B93D3D9C6E3C4
                                                                                                            SHA-256:ABEAC530CEE9B6683F63F19B0C7D525FBA76C3A6C1B88E287DEEDB54218B9E91
                                                                                                            SHA-512:324545144EB41AE1ABDD4D9BDF0CA640423E92F994978FA775D88210E3C271DFF7FC153D5F7063816E526FF074C7A1DC10479AE6F9A38C7EBD6707F0643B3795
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ghol...........#..............................ll.........................p................ ..................................^...........................@..8!...........................0.......................................................text...$...........................`.P`.data...............................@.`..rdata..tl... ...n..................@.`@/4......0............j..............@.0@.bss..................................`..edata...............T..............@.0@.idata...^.......`...j..............@.0..CRT....,.... ......................@.0..tls.... ....0......................@.0..reloc..8!...@..."..................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\modules\is-CJSAH.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:current ar archive
                                                                                                            Category:dropped
                                                                                                            Size (bytes):96048
                                                                                                            Entropy (8bit):3.9600630609123852
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:HQ8jrTtkZlUUJNKMAT+nzjoB1Zo6re0Z7xZS7EgUO3SO6R0i4d9e1bdBduURiRex:HQ8j9kZlUUJNtOjUBkg4lyxULFNUY
                                                                                                            MD5:B870F60DF7A5C0776D5213770D0AD678
                                                                                                            SHA1:4AEC10F0308099D9D994E905E9F5AED42F649574
                                                                                                            SHA-256:E2E263FF2A825153C868C2C1794E3C3B0355053BB6017429011990E5BDB9282D
                                                                                                            SHA-512:7C0431C4FD6C4380D69CC4454D6B02BDAD512D5CE035B06FA12611E144594E4DCD8B2C6928CCE400ABBD29E1D7781181E5A97196FA02527D5295ED11E54A8484
                                                                                                            Malicious:false
                                                                                                            Preview:!<arch>./ 1484736157 0 0 0 9658 `.......%...':..(...(...+...+...-...-...0...0...2B..2B..4...4...7...7...9T..9T..;...;...>...>...@p..@p..B...B...ED..ED..G...G...J...J...L...L...O...O...Qt..Qt..S...S...V>..V>..X...X...Z...Z...]n..]n.._..._...b<..b<..d...d...g...g...i~..i~..k...k...n^..n^..p...p...sJ..sJ..u...u...x6..x6..z...z...}...}....t...t...........d...d...........>...>...........2...2...................f...f...........H...H...........D...D...........4...4...........$...$...|...|...........B...B...................................\...\...........*...*.................V...V.........6...6.................f...f.........&...&...z...z...........<...<.................j...j.................................:...:...................z...z...........R...R...................x...x...........n...n...........@...@...................v...v...........R...R..........!...!...#l..#l..%...%...(@..(@..*...*...-"..-"../.../...2...2...4...4...7...7...9~..9~..;...;.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\modules\libgail.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):354415
                                                                                                            Entropy (8bit):6.210063535561321
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:5o2gMoQeMrpP7cPuFtMpMN/t+2rWkTLF4q5lajFqt1D7TO1ex:5o2gMobMtcyCpG1+2rWkTLF4q5lajFq5
                                                                                                            MD5:FF1CB676E2BDD7F5FC8F407D6B9BEFF0
                                                                                                            SHA1:1E7BA04BB81EC9AF48526626047B93D3D9C6E3C4
                                                                                                            SHA-256:ABEAC530CEE9B6683F63F19B0C7D525FBA76C3A6C1B88E287DEEDB54218B9E91
                                                                                                            SHA-512:324545144EB41AE1ABDD4D9BDF0CA640423E92F994978FA775D88210E3C271DFF7FC153D5F7063816E526FF074C7A1DC10479AE6F9A38C7EBD6707F0643B3795
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ghol...........#..............................ll.........................p................ ..................................^...........................@..8!...........................0.......................................................text...$...........................`.P`.data...............................@.`..rdata..tl... ...n..................@.`@/4......0............j..............@.0@.bss..................................`..edata...............T..............@.0@.idata...^.......`...j..............@.0..CRT....,.... ......................@.0..tls.... ....0......................@.0..reloc..8!...@..."..................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\lib\gtk-2.0\modules\libgail.dll.a (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:current ar archive
                                                                                                            Category:dropped
                                                                                                            Size (bytes):96048
                                                                                                            Entropy (8bit):3.9600630609123852
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:HQ8jrTtkZlUUJNKMAT+nzjoB1Zo6re0Z7xZS7EgUO3SO6R0i4d9e1bdBduURiRex:HQ8j9kZlUUJNtOjUBkg4lyxULFNUY
                                                                                                            MD5:B870F60DF7A5C0776D5213770D0AD678
                                                                                                            SHA1:4AEC10F0308099D9D994E905E9F5AED42F649574
                                                                                                            SHA-256:E2E263FF2A825153C868C2C1794E3C3B0355053BB6017429011990E5BDB9282D
                                                                                                            SHA-512:7C0431C4FD6C4380D69CC4454D6B02BDAD512D5CE035B06FA12611E144594E4DCD8B2C6928CCE400ABBD29E1D7781181E5A97196FA02527D5295ED11E54A8484
                                                                                                            Malicious:false
                                                                                                            Preview:!<arch>./ 1484736157 0 0 0 9658 `.......%...':..(...(...+...+...-...-...0...0...2B..2B..4...4...7...7...9T..9T..;...;...>...>...@p..@p..B...B...ED..ED..G...G...J...J...L...L...O...O...Qt..Qt..S...S...V>..V>..X...X...Z...Z...]n..]n.._..._...b<..b<..d...d...g...g...i~..i~..k...k...n^..n^..p...p...sJ..sJ..u...u...x6..x6..z...z...}...}....t...t...........d...d...........>...>...........2...2...................f...f...........H...H...........D...D...........4...4...........$...$...|...|...........B...B...................................\...\...........*...*.................V...V.........6...6.................f...f.........&...&...z...z...........<...<.................j...j.................................:...:...................z...z...........R...R...................x...x...........n...n...........@...@...................v...v...........R...R..........!...!...#l..#l..%...%...(@..(@..*...*...-"..-"../.../...2...2...4...4...7...7...9~..9~..;...;.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libexpat-1.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):171891
                                                                                                            Entropy (8bit):6.538736066456448
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:TRRma2qUCPK2rK6GA7AXPkqrAncdGcaXyRMOlJYYM0kUnha:l+FickwRMO6
                                                                                                            MD5:008B7C32B61496AE1A63F112CB79AA01
                                                                                                            SHA1:C2DA5E4A373053AE693CB70FBC86C1C119995283
                                                                                                            SHA-256:B79187454CFDB9727EE902E8FBB0E49FA2DD09EB6699A03F1ED585FFB0911657
                                                                                                            SHA-512:EC5F664132EDE7F9D21107118C5BA333F2C30DE0F441F817A37F11C997EE5DD4D1712E4A089923F96AE942E797D7938AA3267584727EF3062E740BD247B70990
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........=......#.....v.........................i................................T......... .................................@................................6..................................................@................................text....u.......v..................`.P`.data... ............z..............@.0..rdata...............|..............@.`@/4......HB...0...D..................@.0@.bss..................................`..edata...............F..............@.0@.idata..@............R..............@.0..CRT....,............Z..............@.0..tls.... ............\..............@.0..reloc...6.......8...^..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libffi-6.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):34874
                                                                                                            Entropy (8bit):6.110919169629535
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:6qW+Ku0jVHIjjVn0SW4K8BnAfDuV9lewloooooooooooo9omSGj98BZZ67SBAaWU:EzpH6jpzBUCUG8BGsWwyY
                                                                                                            MD5:67DA3BEF31BBDEC7E7A1CEC95843E0EE
                                                                                                            SHA1:463341CB6180358C80832D085D4B8480241BFEB1
                                                                                                            SHA-256:3524F35C0ED4D2B68B490744B0D401772108E52A56558485E75B84967525A458
                                                                                                            SHA-512:5E7C0E071A822358B6439E1C655F4AB0F06DC3DD916C5507E2A7D6F6376DBEACD2828044680D2AD83D5FB14CFEF6DCDC77A4FABCD13069D3B5943253A3775CFE
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........4......#.....L...|...............`.....k.......................................... .........................;.......|....................................................................................................................text...dJ.......L..................`.P`.data...8....`.......P..............@.0..rdata..4....p.......R..............@.0@/4...................Z..............@.0..bss..................................`..edata..;............j..............@.0@.idata..|............p..............@.0..CRT....,............v..............@.0..tls.... ............x..............@.0..reloc...............z..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libfontconfig-1.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):331967
                                                                                                            Entropy (8bit):6.197473576252529
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:lgMpBi/BAG2usHP60T37Zkw/HsVRbGToZjc:jmAG2vHCk37uwObG4jc
                                                                                                            MD5:553B2B43312DBA99DA7CB9D9BFCCA0AF
                                                                                                            SHA1:8E4CA211EA779060064276C426F7E74C61E1D790
                                                                                                            SHA-256:1FB04D4CFAFAE1E3490604D300B4E27B7F1F3CC5234C96D0632A88FC66844F52
                                                                                                            SHA-512:85CDC08D4970E9FC0C6FF3E8004CEFBFC07A1DAEECCFE0C3AB478BA82C89707EC8A22D4FC999EFEEFEBA8EE81121211E11F733D1747B9716EEED06D94EE52F44
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................e.........................p......w5........ .........................{....................................P...............................@......................D................................text...d...........................`.P`.data...TB.......D..................@.`..rdata.......0......................@.`@/4......d....@......................@.0@.bss.... .............................`..edata..{...........................@.0@.idata..............................@.0..CRT....,....0......................@.0..tls.... ....@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libfreetype-6.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):693931
                                                                                                            Entropy (8bit):6.506667977069754
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:pgl0XdgCyZfZ1hTDy4ArwyP5Lt6fEWmOxU:u0NnYZ1hTDy44PTZOG
                                                                                                            MD5:37CE2C67DDCEE507833B9AE784AE515D
                                                                                                            SHA1:711B2AAE989D439CC816D198A3A4A7CDD6A070A3
                                                                                                            SHA-256:7A2BD595F34A25C13E94E4C2CDFB1758E9DE60FA7D497F5755BBBF906E82A0D7
                                                                                                            SHA-512:B8FB5A3D2CA99A661FB35F1C560A283070D28A1E438BF124632D4AD8D2EBE0869DF73F1AB8149DEA1FCA66B0285D28028DF83EF36AB27431ED26176EC2A21FCE
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....Z...|...............p.....b.......................................... ......................p../.......(...............................t....................................................................................text....Y.......Z..................`.P`.data...L....p.......^..............@.0..rdata..x............`..............@.`@/4...........0...0..................@.0@.bss.........`........................`..edata../....p.......2..............@.0@.idata..(............J..............@.0..CRT....,............\..............@.0..tls.... ............^..............@.0..reloc..t........ ...`..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libgcc_s_dw2-1.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):121524
                                                                                                            Entropy (8bit):6.347995296737745
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:9v6EzEhAArrzEYz8V2clMs4v6C7382gYbByUDM6H0ZulNDnt8zXxgf:9T8AArrzDylMs5C738FYbpH0Ent8zBgf
                                                                                                            MD5:6CE25FB0302F133CC244889C360A6541
                                                                                                            SHA1:352892DD270135AF5A79322C3B08F46298B6E79C
                                                                                                            SHA-256:E06C828E14262EBBE147FC172332D0054502B295B0236D88AB0DB43326A589F3
                                                                                                            SHA-512:3605075A7C077718A02E278D686DAEF2E8D17B160A5FEDA8D2B6E22AABFFE0105CC72279ADD9784AC15139171C7D57DBA2E084A0BA22A6118FDBF75699E53F63
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8r>....7......#.....^...................p.....n.........................0................ ........................._.................................... .......................................................................................text...X].......^..................`.P`.data... ....p.......b..............@.0..rdata........... ...d..............@.`@/4...............0..................@.0@.bss....(.............................`..edata.._...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc....... ......................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libgdk-win32-2.0-0.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):814068
                                                                                                            Entropy (8bit):6.5113626552096
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:ZEygs0MDl9NALk12XBoO/j+QDr4TARkKtff8WvLCC2:vKMDl9aGO+/TAR5tff8og
                                                                                                            MD5:5B1EB4B36F189362DEF93BF3E37354CC
                                                                                                            SHA1:8C0A4992A6180D0256ABF669DFDEE228F03300BA
                                                                                                            SHA-256:D2D7D9821263F8C126C6D8758FFF0C88F2F86E7E69BFCC28E7EFABC1332EEFD7
                                                                                                            SHA-512:BF57664A96DC16DAD0BB22F6BE6B7DAE0BB2BA2C6932C8F64AEC953E77DC5CDA48E3E05FB98EFE766969832DBC6D7357F8B8D144BD438E366CE746B3B31E2C96
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wl....i......#..............................Tl.................................`........ ..........................b...`...L.......h...................@...I...................................................j..X............................text..............................`.P`.data...............................@.`..rdata..\...........................@.`@/4.......S...p...T...H..............@.0@.bss..................................`..edata...b.......d..................@.0@.idata...L...`...L..................@.0..CRT....,............L..............@.0..tls.... ............N..............@.0..rsrc....h.......j...P..............@.0..reloc...I...@...J..................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libgdk_pixbuf-2.0-0.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):181527
                                                                                                            Entropy (8bit):6.362061002967905
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:jJoxZgqj/2VkWePT1lempKE7PQrXGx6duqPhyxO+jOfMjHyv:jef/2eH72mprIs6VyfOfMY
                                                                                                            MD5:0D0D311D1837705B1EAFBC5A85A695BD
                                                                                                            SHA1:AA7FA3EB181CC5E5B0AA240892156A1646B45184
                                                                                                            SHA-256:AFB9779C4D24D0CE660272533B70D2B56704F8C39F63DAB0592C203D8AE74673
                                                                                                            SHA-512:14BC65823B77E192AACF613B65309D5A555A865AC00D2AB422FD209BD4E6C106ECCE12F868692C3EEA6DCCB3FE4AD6323984AEF60F69DA08888ABCD98D76327D
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..............#..............................Te......................... ................ .........................b........#......................................................................................H............................text...$...........................`.P`.data...4...........................@.0..rdata...J.......L..................@.`@/4.......I... ...J..................@.0@.bss.........p........................`..edata..b............@..............@.0@.idata...#.......$...V..............@.0..CRT....,............z..............@.0..tls.... ............|..............@.0..rsrc................~..............@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libgdkmm-2.4-1.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):268404
                                                                                                            Entropy (8bit):6.265024248848175
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:yL8lD0bVAYhILCN0z+tUbO01CDXQ6yw+RseNYWFZvc/NNap:1Uy+tUbO01CDXQ6ywcYWFZvCNNap
                                                                                                            MD5:C4C23388109D8A9CC2B87D984A1F09B8
                                                                                                            SHA1:74C9D9F5588AFE721D2A231F27B5415B4DEF8BA6
                                                                                                            SHA-256:11074A6FB8F9F137401025544121F4C3FB69AC46CC412469CA377D681D454DB3
                                                                                                            SHA-512:060F175A87FBDF3824BEED321D59A4E14BE131C80B7C41AFF260291E69A054F0671CC67E2DDA3BE8A4D953C489BC8CDE561332AA0F3D82EF68D97AFCF115F6A3
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....V...................p....4j.......................................... ......................`.......`..xk..............................D....................................................k...............................text....T.......V..................`.P`.data... ....p.......Z..............@.0..rdata..X ......."...\..............@.`@/4......0............~..............@.0@.bss....H....P........................`..edata.......`......................@.0@.idata..xk...`...l..................@.0..CRT....,............x..............@.0..tls.... ............z..............@.0..reloc..D............|..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libgio-2.0-0.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1606715
                                                                                                            Entropy (8bit):6.432733703292802
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:qi0l5PSkLHq6M30RmWXD4cE/TpXy4CEJQwAj7/RyYijPIDEFIgX3zdHyqFMa:eSqVMkRm3dyEYiGEFTdfFN
                                                                                                            MD5:34007E6F8E18D371DBFF19A279B008C3
                                                                                                            SHA1:58B091382EB981587CA6FDFAFC314E458598B8BB
                                                                                                            SHA-256:44D65416BB7EC0F43CE91927B33002CDF3E56038562F83E602C19A20C48AEB7D
                                                                                                            SHA-512:37F6338CDEA6220CF9079F25F760A2C7A50A01BD6A98C01798D20203F5A56FA0F37CDD7E91AE246C1077A34EC4FA42E9D2305ADA7CA8945E6591C8E26164C906
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#.............*................xm......................................... .........................9........z......`.......................<....................................................................................text...D...........................`.P`.data...............................@.`..rdata..4...........................@.`@/4......D...........................@.0@.bss.....)............................`..edata..9........ ...|..............@.0@.idata...z.......|..................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...`...........................@.0..reloc..<............ ..............@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libgiomm-2.4-1.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1374336
                                                                                                            Entropy (8bit):6.544219940913283
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:XxPyiEuJLPKpBW3n41iniSpKMFH/ZNYTujQb/XseSGwUCowrnDKHYHdT8s5ly8:B5XlHdxV
                                                                                                            MD5:86CE128833ECB1AC52EBED17993C1B56
                                                                                                            SHA1:C7FC8F88E908591CAAA9F25B954B06E814576158
                                                                                                            SHA-256:B22B57B0B6E0FD531CEA32CED338B9D12DD018D09D0B95CD61F166F64253B355
                                                                                                            SHA-512:1B8BEE2668599E33EA6F8121F7584431211512D6BCC8B409EAE162FBD6B505B0F4D0CD984AC8439C515BE4058A20270954D5DCBC62D16E95ED31A8225500F839
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........L......#.....0...................@.....k.................................W........ .........................I....P...................................}...................................................i...............................text..../.......0..................`.P`.data...<....@.......4..............@.@..rdata..,....P.......6..............@.`@/4.......@...@...B...&..............@.0@.bss..................................`..edata..I............h..............@.0@.idata.......P......................@.0..CRT....,....p.......&..............@.0..tls.... ............(..............@.0..reloc...}.......~...*..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libglib-2.0-0.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1222671
                                                                                                            Entropy (8bit):6.4094687832944235
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:s2AYizbUVBV0u6ydQXUPIUJL0VGQRhORRajBbGN2JtYI3+0EIZy3fh6UtvR6YO3c:1AYhVBBsUJLORhH0QtYI33EuS1tvzO3c
                                                                                                            MD5:C12734BD4C4C33E788FE7FC6C1E47522
                                                                                                            SHA1:F474AB91C5DECD6D533C1DA016DC65800DBC5E9D
                                                                                                            SHA-256:9FFCD35CAEC4B199481620C82B8E2AFA9AE26F557D9A99C18B7DC23E61D59131
                                                                                                            SHA-512:AE948D3AB723144D2546F8B3401805CCFFBB312A14AD8D314685FB1EA85E74955F1372FEFE177571F518F51E66783B9813F876B93B35ED6E27C0E4743D59FA80
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........z..(......#.........v....................|h.................................*........ ......................`.......0.......p...........................k...........................`......................d5..`............................text...X...........................`.P`.data...|...........................@.`..rdata...N.......P..................@.`@/4......l....0......................@.0@.bss.... ....@........................`..edata.......`......................@.0@.idata.......0... ..................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc........p......................@.0..reloc...k.......l..................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libglibmm-2.4-1.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):463112
                                                                                                            Entropy (8bit):6.363613724826455
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:qyoSS9Gy176UixTUTfeKEVfA/K4FW0BGXOjY:pS93176nxTUTEA/Kuk
                                                                                                            MD5:D9D9C79E35945FCA3F9D9A49378226E7
                                                                                                            SHA1:4544A47D5B9765E5717273AAFF62724DF643F8F6
                                                                                                            SHA-256:18CBD64E56CE58CE7D1F67653752F711B30AD8C4A2DC4B0DE88273785C937246
                                                                                                            SHA-512:B0A9CEFAC7B4140CC07E880A336DCBAB8B6805E267F4F8D9423111B95E4D13544D8952D75AB51ADE9F6DACE93A5425E6D41F42C2AA88D3A3C233E340EE785EB9
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#.........R....................lf.......................................... ......................@..w.......................................<....................................................................................text...$...........................`.P`.data... ...........................@.0..rdata...J.......L..................@.`@/4..................................@.0@.bss....h....0........................`..edata..w....@......................@.0@.idata..............................@.0..CRT....,............4..............@.0..tls.... ............6..............@.0..reloc..<............8..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libgmodule-2.0-0.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):26562
                                                                                                            Entropy (8bit):5.606958768500933
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:EaiL7abI5n6MnFUKs7qfSWWmJZLfw2tnPrPkV:4XabI5n5niKsOwmnU
                                                                                                            MD5:E9C7068B3A10C09A283259AA1B5D86F2
                                                                                                            SHA1:3FFE48B88F707AA0C947382FBF82BEE6EF7ABB78
                                                                                                            SHA-256:06294F19CA2F7460C546D4D0D7B290B238C4959223B63137BB6A1E2255EDA74F
                                                                                                            SHA-512:AC4F521E0F32DBF104EF98441EA3403F0B7D1B9D364BA8A0C78DAA056570649A2B45D3B41F0B16A1A73A09BAF2870D23BD843E6F7E9149B697F7E6B7222E0B81
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7G7.Z..V......#.....(...V...............@.....m.......................................... .........................O...............p.......................l.......................................................@............................text....&.......(..................`.P`.data...0....@.......,..............@.0..rdata.......P......................@.0@/4...........`.......6..............@.0@.bss.........p........................`..edata..O............B..............@.0@.idata...............D..............@.0..CRT....,............N..............@.0..tls.... ............P..............@.0..rsrc...p............R..............@.0..reloc..l............V..............@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libgobject-2.0-0.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):337171
                                                                                                            Entropy (8bit):6.46334441651647
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:TQkk4LTVKDKajZjp8aEEHeEkls4q5dRIFSqObK/q+P82JSccgSGDGxQXKHlTmn93:3kwpKlf1QNSqOb6q+PRJb6GDGmKH893
                                                                                                            MD5:51D62C9C7D56F2EF2F0F628B8FC249AD
                                                                                                            SHA1:33602785DE6D273F0CE7CA65FE8375E91EF1C0BC
                                                                                                            SHA-256:FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
                                                                                                            SHA-512:03FB13AE5D73B4BABA540E3358335296FB28AA14318C27554B19BB1E90FAD05EA2DD66B3DB216EA7EED2A733FE745E66DB2E638F5ED3B0206F5BE377F931DF5B
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#......................... .....c.........................`................ ..........................8........... .......................0.../......................................................`............................text...............................`.P`.data...`.... ......................@.0..rdata..4....0......................@.`@/4......D...........................@.0@.bss..................................`..edata...8.......:...p..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.../...0...0..................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libgomp-1.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):174543
                                                                                                            Entropy (8bit):6.3532700320638025
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:F4yjzZ0q/RZ1vAjhByeVjxSTi7p2trtfKomZr8jPnJe0rkUlRGptdKH69T5GNg9v:FjjE0PCn3baPXuD7
                                                                                                            MD5:65D8CB2733295758E5328E5A3E1AFF15
                                                                                                            SHA1:F2378928BB9CCFBA566EC574E501F6A82A833143
                                                                                                            SHA-256:E9652AB77A0956C5195970AF39778CFC645FC5AF22B95EED6D197DC998268642
                                                                                                            SHA-512:BF6AA62EA82DFDBE4BC42E4D83469D3A98BFFE89DBAB492F8C60552FCB70BBA62B8BF7D4BDAB4045D9BC1383A423CAA711E818F2D8816A80B056BC65A52BC171
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........g......#...............................c................................6......... .........................Y@......................................0....................................................................................text...D...........................`.P`.data...............................@.`..rdata..0".......$..................@.`@/4.......Z.......\..................@.0@.bss....t....p........................`..edata..Y@.......B...8..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..0...........................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libgraphite2.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):235032
                                                                                                            Entropy (8bit):6.398850087061798
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:fWa7MVS9CtXk4wP0filbZ5546Qx/cwx/svQbKDazN1x:3MVTtXlwP0f0rK6QxEYz
                                                                                                            MD5:E1D0ACD1243F9E59491DC115F4E379A4
                                                                                                            SHA1:5E9010CFA8D75DEFBDC3FB760EB4229ACF66633B
                                                                                                            SHA-256:FD574DA66B7CCAE6F4DF31D5E2A2C7F9C5DAE6AE9A8E5E7D2CA2056AB29A8C4F
                                                                                                            SHA-512:392AA2CF6FBC6DAA6A374FD1F34E114C21234061855413D375383A97951EC5DDDF91FD1C431950045105746898E77C5C5B4D217DF0031521C69403EA6ADE5C27
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........Y......#..............................tp.......................................... .........................$...............................................................................................<............................text...............................`.P`.data...L...........................@.0..rdata...1.......2..................@.`@/4.......m... ...n..................@.0@.bss..................................`..edata..$............`..............@.0@.idata...............j..............@.0..CRT....,............t..............@.0..tls.... ............v..............@.0..reloc...............x..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libharfbuzz-0.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):441975
                                                                                                            Entropy (8bit):6.372283713065844
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:KOjlUsee63NlC1NiiA0XcQj0S5XTJAmLYWB6EYWOsIEvCmiu:DRGNq0wdAmcWBGsIEviu
                                                                                                            MD5:6CD78C8ADD1CFC7CBB85E2B971FCC764
                                                                                                            SHA1:5BA22C943F0337D2A408B7E2569E7BF53FF51CC5
                                                                                                            SHA-256:C75587D54630B84DD1CA37514A77D9D03FCE622AEA89B6818AE8A4164F9F9C73
                                                                                                            SHA-512:EAFDF6E38F63E6C29811D7D05821824BDAAC45F8B681F5522610EEBB87F44E9CA50CE690A6A3AA93306D6A96C751B2210F96C5586E00E323F26F0230C0B85301
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....~.........................a......................... ......A3........ ..........................'......................................|....................................................................................text...4|.......~..................`.P`.data...............................@.`..rdata..............................@.`@/4..................................@.0@.bss..................................`..edata...'.......(...R..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..|...........................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libiconv-2.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1055417
                                                                                                            Entropy (8bit):7.312780382733874
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:1MWKOBAUZLYRwPKDOlbbT0pGavkg3NyeuQ6l9fHOfc4Z:1dBAUZLYWiDOSpGaXBuQQ9u3Z
                                                                                                            MD5:F721A6B0A1590D55EADEAE81B8F629AA
                                                                                                            SHA1:8C6ED37D1D926D949161FF5F3B5682A4068644CE
                                                                                                            SHA-256:8E2EB9BAC3F5C37D91BFF7F04420DDA55CD369178C73ADF11E6C4DD7E597260F
                                                                                                            SHA-512:2FFDB23615EE72DF600248D6B9DED0E25DAE12D8424557EC07589F34601C00421CF32A748CB564AFCED99B419805E43BF4D6D05EC33D581DBD03F9AF853005E8
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........F......#.............................. f.......................................... ...................... ..u....0..<....`.......................p...............................P......................T1...............................text...D...........................`.P`.data...T...........................@.0..rdata..............................@.`@/4......TI.......J..................@.0@.bss..................................`..edata..u.... ......................@.0@.idata..<....0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..rsrc........`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libintl-8.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):140752
                                                                                                            Entropy (8bit):6.52778891175594
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:Uw0ucwd0gZ36KErK+i+35KwO/hVQN6ulXazERIdF+aP2je8g5og96:ZlcWpErK+i9zEQF+aPKZo6
                                                                                                            MD5:A8F646EB087F06F5AEBC2539EB14C14D
                                                                                                            SHA1:4B1FBAB6C3022C3790BC0BD0DD2D9F3BA8FF1759
                                                                                                            SHA-256:A446F09626CE7CE63781F5864FDD6064C25D9A867A0A1A07DCECB4D5044B1C2B
                                                                                                            SHA-512:93BB40C5FE93EF97FE3BC82A0A85690C7B434BD0327BB8440D51053005A5E5B855F9FCC1E9C676C43FF50881F860817FF0764C1AD379FC08C4920AA4A42C5DBC
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....T...................p.....a.......................................... ......................0.......@.......p..@.......................T............................`......................8B...............................text....R.......T..................`.P`.data........p.......X..............@.`..rdata...F.......H...\..............@.`@/4......L3.......4..................@.0@.bss....@.............................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...@....p......................@.0..reloc..T...........................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libjpeg-8.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):509934
                                                                                                            Entropy (8bit):6.031080686301204
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:wx/Eqtn5oeHkJstujMWYVgUr/MSK/zwazshLKl11PC5qLJy1Pkfsm:M/NDXEJIPVgUrgbzslW11UqLJokfsm
                                                                                                            MD5:02E6C6AB886700E6F184EEE43157C066
                                                                                                            SHA1:E796B7F7762BE9B90948EB80D0138C4598700ED9
                                                                                                            SHA-256:EA53A198AA646BED0B39B40B415602F8C6DC324C23E1B9FBDCF7B416C2C2947D
                                                                                                            SHA-512:E72BC0A2E9C20265F1471C30A055617CA34DA304D7932E846D5D6999A8EBCC0C3691FC022733EAEB74A25C3A6D3F347D3335B902F170220CFE1DE0340942B596
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........P......#...............................k......................... ......CY........ .....................................................................................................................|...,............................text...T...........................`.P`.data...............................@.0..rdata..XN.......P..................@.`@/4.......x...0...z..................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\liblcms2-2.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):397808
                                                                                                            Entropy (8bit):6.396146399966879
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:q6WhfTNgMVVPwCxpk76CcIAg8TQfn9l1bBE3A97vupNBXH:q60TvSGpk7eIAg489l1S3A97vkVH
                                                                                                            MD5:E0747D2E573E0A05A7421C5D9B9D63CC
                                                                                                            SHA1:C45FC383F9400F8BBE0CA8E6A7693AA0831C1DA7
                                                                                                            SHA-256:25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
                                                                                                            SHA-512:201EE6B2FD8DCD2CC873726D56FD84132A4D8A7434B581ABD35096A5DE377009EC8BC9FEA2CC223317BBD0D971FB1E61610509E90B76544BDFF069E0D6929AED
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\4......n......#......................... ....Dk.......................................... ..........................5...0...............................`..T............................P.......................2...............................text...D...........................`.P`.data...X1... ...2..................@.`..rdata..x....`.......F..............@.`@/4..................................@.0@.bss....`.............................`..edata...5.......6..................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..T....`......................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\liblzma-5.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):171848
                                                                                                            Entropy (8bit):6.579154579239999
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:LrhG5+L/AcY680k2SxVqetJP5Im+A9mNoWqlM5ywwoS:LV6+LA0G0enP5PFYOWi6w1
                                                                                                            MD5:236A679AB1B16E66625AFBA86A4669EB
                                                                                                            SHA1:73AE354886AB2609FFA83429E74D8D9F34BD45F2
                                                                                                            SHA-256:B1EC758B6EDD3E5B771938F1FEBAC23026E6DA2C888321032D404805E2B05500
                                                                                                            SHA-512:C19FA027E2616AC6B4C18E04959DFE081EF92F49A11260BA69AFE10313862E8FEFF207B9373A491649928B1257CF9B905F24F073D11D71DCD29B0F9ADAC80248
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ......;......#...............................c................................q......... .........................,.......<.......H...........................................................................(................................text...............................`.P`.data... ...........................@.0..rdata..|y.......z..................@.`@/4......HN...@...P... ..............@.0@.bss..................................`..edata..,............p..............@.0@.idata..<............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...H...........................@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libpango-1.0-0.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):259014
                                                                                                            Entropy (8bit):6.075222655669795
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:O4WGkOMuCsxvlBUlthMP3SyyqX3/yfGG7ca/RM3yH8Tw/yr+Jg8jGCzftns9/1tA:tWGkOME304A7ca/RNyN8jGCzftngvA
                                                                                                            MD5:B4FDE05A19346072C713BE2926AF8961
                                                                                                            SHA1:102562DE2240042B654C464F1F22290676CB6E0F
                                                                                                            SHA-256:513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
                                                                                                            SHA-512:9F3AEE3EBF04837CEEF08938795DE0A044BA6602AACB98DA0E038A163119C695D9CC2CA413BD709196BFD3C800112ABABC3AF9E2E9A0C77D88BD4A1C88C2ED27
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..............................xe.........................@.......{........ .........................+;......L.......0.................... ..8...................................................h................................text...............................`.P`.data...$...........................@.0..rdata.../.......0..................@.`@/4.......l.......n..................@.0@.bss....,.............................`..edata..+;.......<...d..............@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...0...........................@.0..reloc..8.... ......................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libpangocairo-1.0-0.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):64724
                                                                                                            Entropy (8bit):5.910307743399971
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:U84Oo2LbVtfNsqnYPL7cZ690d+yCG7QiZggD0Spo3YfklbTRPmK0Lz:Uf2LbVtfDGLr2xk4DU3YfkhTRuKW
                                                                                                            MD5:7AF455ADEA234DEA33B2A65B715BF683
                                                                                                            SHA1:F9311CB03DCF50657D160D89C66998B9BB1F40BA
                                                                                                            SHA-256:6850E211D09E850EE2510F6EAB48D16E0458BCE35916B6D2D4EB925670465778
                                                                                                            SHA-512:B8AC3E2766BB02EC37A61218FAF60D1C533C0552B272AF6B41713C17AB69C3731FA28F3B5D73766C5C59794D5A38CC46836FD93255DF38F7A3ABD219D51BB41A
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....h........................lm.........................P................ .................................."...0..`....................@............................... .......................................................text...dg.......h..................`.P`.data...0............l..............@.0..rdata...............n..............@.@@/4......\............z..............@.0@.bss....,.............................`..edata..............................@.0@.idata...".......$..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...`....0......................@.0..reloc.......@......................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libpangoft2-1.0-0.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):92019
                                                                                                            Entropy (8bit):5.974787373427489
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:+j80nVGEhJyBnvQXUDkUPoWCSgZosDGMsZLXWU9+HN4yoRtJJ:C8IgtyUDkBWIZosDGDBXWPHN4yoRtJJ
                                                                                                            MD5:CC7DAD980DD04E0387795741D809CBF7
                                                                                                            SHA1:A49178A17B1C72AD71558606647F5011E0AA444B
                                                                                                            SHA-256:0BAE9700E29E4E7C532996ADF6CD9ADE818F8287C455E16CF2998BB0D02C054B
                                                                                                            SHA-512:E4441D222D7859169269CA37E491C37DAA6B3CDD5F4A05A0A246F21FA886F5476092E64DFF88890396EF846B9E8D2880E33F1F594CD61F09023B3EF4CD573EA3
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(....0..7......#.........,.....................m................................B......... ...................... .......0...*...........................................................p......................t5...............................text..............................`.P`.data... ...........................@.0..rdata..............................@.`@/4.......(.......*..................@.0@.bss..................................`..edata....... ......................@.0@.idata...*...0...,..................@.0..CRT....,....`....... ..............@.0..tls.... ....p......."..............@.0..rsrc................$..............@.0..reloc...............(..............@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libpangomm-1.4-1.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):165739
                                                                                                            Entropy (8bit):6.062324507479428
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:wqozCom32MhGf+cPlDQ6jGQGExqLsGXnru+5FMCp:wqxo4LGlDQ6yQGsqLsGXruSFMCp
                                                                                                            MD5:E2F18B37BC3D02CDE2E5C15D93E38418
                                                                                                            SHA1:1A6C58F4A50269D3DB8C86D94B508A1919841279
                                                                                                            SHA-256:7E555192331655B04D18F40E8F19805670D56FC645B9C269B9F10BF45A320C97
                                                                                                            SHA-512:61AB4F3475B66B04399111B106C3F0A744DC226A59EB03C134AE9216A9EA0C7F9B3B211148B669C32BAFB05851CC6C18BD69EA431DBC2FE25FE470CB4786FD17
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........0.........#.........,.....................n................................&......... .........................y....0...D..................................................................................x7...............................text...............................`.P`.data... ...........................@.0..rdata..............................@.`@/4......Dg.......h..................@.0@.bss....(....p........................`..edata..y............8..............@.0@.idata...D...0...F..................@.0..CRT....,............ ..............@.0..tls.... ............"..............@.0..reloc...............$..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libpangowin32-1.0-0.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):101544
                                                                                                            Entropy (8bit):6.237382830377451
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:nrYjG+7rjCKdiZ4axdj+nrlv3ecaQZ93yQNMRP2Ea5JPTxi0C9A046QET:M9eKdiBxUnfb3yZROEYJPTxib9A5ET
                                                                                                            MD5:E13FCD8FB16E483E4DE47A036687D904
                                                                                                            SHA1:A54F56BA6253D4DECAAE3DE8E8AC7607FD5F0AF4
                                                                                                            SHA-256:0AC1C17271D862899B89B52FAA13FC4848DB88864CAE2BF4DC7FB81C5A9A49BF
                                                                                                            SHA-512:38596C730B090B19E34183182273146C3F164211644EBC0A698A83651B2753F7D9B1D6EE477D1798BD7219B5977804355E2F57B1C3013BF3D498BF96DEC9D02E
                                                                                                            Malicious:true
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#.........`....................Hk.................................$........ ......................`..-....p......................................................................................Lt...............................text...............................`.P`.data...L...........................@.0..rdata..............................@.`@/4.......*... ...,..................@.0@.bss.........P........................`..edata..-....`.......*..............@.0@.idata.......p... ...0..............@.0..CRT....,............P..............@.0..tls.... ............R..............@.0..rsrc................T..............@.0..reloc...............X..............@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libpcre-1.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):291245
                                                                                                            Entropy (8bit):6.234245376773595
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:dg6RpdbWJbnZ9zwvNOmdcm0sn+g2eqZq6eadTD8:UJ99zwvNOmdcm0s+g1qZQadTD8
                                                                                                            MD5:2D8A0BC588118AA2A63EED7BF6DFC8C5
                                                                                                            SHA1:7FB318DC21768CD62C0614D7AD773CCFB7D6C893
                                                                                                            SHA-256:707DEE17E943D474FBE24EF5843A9A37E923E149716CAD0E2693A0CC8466F76E
                                                                                                            SHA-512:A296A8629B1755D349C05687E1B9FAE7ED5DE14F2B05733A7179307706EA6E83F9F9A8729D2B028EDDC7CAF8C8C30D69AD4FEA6EC19C66C945772E7A34F100DE
                                                                                                            Malicious:false
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........h..@......#.........d....................4i................................<......... ......................p..5.......t...................................................................................<................................text...T...........................`.P`.data...0...........................@.0..rdata...v.......x..................@.`@/4...........@......................@.0@.bss.........`........................`..edata..5....p.......6..............@.0@.idata..t............>..............@.0..CRT....,............F..............@.0..tls.... ............H..............@.0..reloc...............J..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libpixman-1-0.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):706136
                                                                                                            Entropy (8bit):6.517672165992715
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:8TCY9iAO+e+693qCfG0l2KDIq4N1i9aqi+:8piAO+e+69ne02KDINN1MaZ+
                                                                                                            MD5:3A8A13F0215CDA541EC58F7C80ED4782
                                                                                                            SHA1:085C3D5F62227319446DD61082919F6BE1EFD162
                                                                                                            SHA-256:A397C9C2B5CAC7D08A2CA720FED9F99ECE72078114FFC86DF5DBC2B53D5FA1AD
                                                                                                            SHA-512:4731D7ABB8DE1B77CB8D3F63E95067CCD7FAFED1FEB508032CB41EE9DB3175C69E5D244EEE8370DE018140D7B1C863A4E7AFBBE58183294A0E7CD98F2A8A0EAD
                                                                                                            Malicious:true
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.......Q......#..............................Pe......................... ................ .........................A.......L............................... ,......................................................,............................text...8...........................`.P`.data...............................@.P..rdata..............................@.`@/4......\............x..............@.0@.bss..................................`..edata..A........ ...^..............@.0@.idata..L............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc.. ,..........................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libpng16-16.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):248781
                                                                                                            Entropy (8bit):6.474165596279956
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:oW4uzRci3pB4FvOhUHN1Dmfk46sR6/9+B7Bt9Z42fTSCi3QUqbQrPeL8rFErGfju:n4uB4FvHNElE9+B7Bj6GTSCiZPNVS
                                                                                                            MD5:C4002F9E4234DFB5DBE64C8D2C9C2F09
                                                                                                            SHA1:5C1DCCE276FDF06E6AA1F6AD4D4B49743961D62D
                                                                                                            SHA-256:F5BC251E51206592B56C3BD1BC4C030E2A98240684263FA766403EA687B1F664
                                                                                                            SHA-512:4F7BC8A431C07181A3D779F229E721958043129BBAEC65A538F2DD6A2CAB8B4D6165B4149B1DF56B31EB062614363A377E1982FD2F142E49DA524C1C96FC862E
                                                                                                            Malicious:false
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........]......#...............................h......................... .......!........ .........................A.......\.......................................................................................\............................text..............................`.P`.data...T...........................@.0..rdata..P[.......\..................@.`@/4.......v...0...v..................@.0@.bss..................................`..edata..A........ ..................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\librsvg-2-2.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):248694
                                                                                                            Entropy (8bit):6.346971642353424
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:MUijoruDtud8kVtHvBcEcEJAbNkhJIXM3rhv:Cy8kTHvBcE1kI3rhv
                                                                                                            MD5:39A15291B9A87AEE42FBC46EC1FE35D6
                                                                                                            SHA1:AADF88BBB156AD3CB1A2122A3D6DC017A7D577C1
                                                                                                            SHA-256:7D4546773CFCC26FEC8149F6A6603976834DC06024EEAC749E46B1A08C1D2CF4
                                                                                                            SHA-512:FF468FD93EFDB22A20590999BC9DD68B7307BD406EB3746C74A3A472033EA665E6E3F778325849DF9B0913FFC7E4700E2BEED4666DA6E713D984E92F9DB5F679
                                                                                                            Malicious:true
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....x.........................i.......................................... ......................`..u........1...................................................................................................................text...Tw.......x..................`.P`.data................|..............@.`..rdata..t;.......<...~..............@.`@/4.......f.......h..................@.0@.bss.........P........................`..edata..u....`......."..............@.0@.idata...1.......2...>..............@.0..CRT....,............p..............@.0..tls.... ............r..............@.0..reloc...............t..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libsigc-2.0-0.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):30994
                                                                                                            Entropy (8bit):5.666281517516177
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:SrCNSOFBZVDIxxDsIpx0uZjaYNdJSH6J6:SrCyx0maYNdh6
                                                                                                            MD5:3C033F35FE26BC711C4D68EB7CF0066D
                                                                                                            SHA1:83F1AED76E6F847F6831A1A1C00FEDC50F909B81
                                                                                                            SHA-256:9BA147D15C8D72A99BC639AE173CFF2D22574177242A7E6FE2E9BB09CC3D5982
                                                                                                            SHA-512:7811BE5CCBC27234CE70AB4D6541556612C45FE81D5069BA64448E78953387B1C023AA2A04E5DBF8CAACE7291B8B020BEE2F794FBC190837F213B8D6CB698860
                                                                                                            Malicious:true
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..8......#.....*...l...............@.....j.......................................... .........................a.......(...............................x...................................................,................................text...8(.......*..................`.P`.data... ....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......6..............@.0@.bss..................................`..edata..a............L..............@.0@.idata..(............`..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..x............l..............@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libstdc++-6.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1545467
                                                                                                            Entropy (8bit):6.529166035051036
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:f//9GOTyiDI4jm0B4/W1EkWLENaQemY0y6hW98cA4q0v4gf:bVYKW983e
                                                                                                            MD5:7F95672216191C57573D049090125ECE
                                                                                                            SHA1:2C9D065A1F28F511149C3DBA219B52004FC51262
                                                                                                            SHA-256:689991853CD09032089F52656C9508061F105FAB5727F250890563EBF2656A45
                                                                                                            SHA-512:FD0DD095D5D76400FA97F5B3231D16570284EC31D04E2E9F3278F378233F316D4D91715898BF8A1B81803E613B97B2FE5FB064A9BD6BAE6E08AD3CAB9613E61B
                                                                                                            Malicious:true
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........~.........#.....4...z...............P.....o.......................................... ..........................p...0...............................p...t...........................`.......................2..D............................text....2.......4..................`.P`.data........P... ...8..............@.`..rdata..@....p.......X..............@.`@/4.......M...P...N...2..............@.0@.bss..................................`..edata...p.......r..................@.0@.idata.......0......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..reloc...t...p...v..................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libtiff-5.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):448557
                                                                                                            Entropy (8bit):6.353356595345232
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:TC5WwqtP7JRSIOKxQg2FgggggggTggZgoggggggggggggggggggnggDggD7d:TC5WltP7JRSIOKxmeR
                                                                                                            MD5:908111F583B7019D2ED3492435E5092D
                                                                                                            SHA1:8177C5E3B4D5CC1C65108E095D07E0389164DA76
                                                                                                            SHA-256:E8E2467121978653F9B6C69D7637D8BE1D0AC6A4028B672A9B937021AD47603C
                                                                                                            SHA-512:FD35BACAD03CFA8CD1C0FFF2DAC117B07F516E1E37C10352ED67E645F96E31AC499350A2F21702EB51BE83C05CF147D0876DAC34376EEDE676F3C7D4E4A329CB
                                                                                                            Malicious:true
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....,...................@.....i......................... ......._........ .........................[.......X...............................(&...................................................... ............................text...d*.......,..................`.P`.data........@.......0..............@.`..rdata......P.......2..............@.`@/4..................................@.0@.bss....|.............................`..edata..[............j..............@.0@.idata..X...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..(&.......(..................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libwinpthread-1.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):65181
                                                                                                            Entropy (8bit):6.085572761520829
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:1JrcDWlFkbBRAFqDnlLKgprfElH0hiGoeLXRcW/VB6dkhxLemE5ZHvIim3YWATMk:XrTk3iqzlLKgp6H38B6u0Uim3Y15P
                                                                                                            MD5:98A49CC8AE2D608C6E377E95833C569B
                                                                                                            SHA1:BA001D8595AC846D9736A8A7D9161828615C135A
                                                                                                            SHA-256:213B6ADDAB856FEB85DF1A22A75CDB9C010B2E3656322E1319D0DEF3E406531C
                                                                                                            SHA-512:C9D756BB127CAC0A43D58F83D01BFE1AF415864F70C373A933110028E8AB0E83612739F2336B28DC44FAABA6371621770B5BCC108DE7424E31378E2543C40EFC
                                                                                                            Malicious:false
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........[......#...............................d.........................p................ .............................. .......P..P....................`..x............................@.......................!..\............................text...D...........................`.P`.data...D...........................@.0..rdata..l...........................@.0@/4......p/.......0..................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....0....0......................@.0..tls.... ....@......................@.0..rsrc...P....P......................@.0..reloc..x....`......................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\libxml2-2.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1400653
                                                                                                            Entropy (8bit):6.518664771362139
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:YiyJaaUAnPfI1FO1Fm5wukMdBdfrwQAZV2R6yeYH3bhlN77S+N+RoQ8J0fnuVj1z:4aaUAnI1FOFmZkM1i2n5h++N+RCJ0fA1
                                                                                                            MD5:1124DD59526216DF405C4514949CCB54
                                                                                                            SHA1:8226C42D98B9D3C0E83A11167963D5B38B6DDD45
                                                                                                            SHA-256:A9016D40755966C547464430D3509CC3CFE9DD5D8B53F8B694B42B0D7141E5D6
                                                                                                            SHA-512:F007FBD3FBA7E3966FAF5F9D857ADB6607A99CD6FD8FFDF14E858BE6C4A0B155A9197BAA9D1DF0A28AF733F78F8A7346357EBAA7D3BD0C3934BF815CC51A930D
                                                                                                            Malicious:false
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........F.........#.........B... .................q.................................y........ ...................... .......................................0..t............................ ......................8................................text...............................`.P`.data...............................@.`..rdata..Tn... ...p..................@.`@/4.......c.......d...x..............@.0@.bss..................................`..edata....... ......................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..reloc..t....0......................@.0B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\share\man\man1\is-PVGNH.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:troff or preprocessor input, ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):4398
                                                                                                            Entropy (8bit):4.600955041903228
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:FR3NG1T8P+2P2DTd/8wtiA07c2SvQTPiu7Yr87jqgDAeNGB3t:FhNn+5DTZ8RA07c2SvbuErqjqgDAeot
                                                                                                            MD5:54952A1861F6282FF3A57F0909FC0AA0
                                                                                                            SHA1:DC1B5CF6C3FA4897C4ECBCCC79E596CDF226BBD8
                                                                                                            SHA-256:8C1CFB7D6CEB81249A513B39FC942A752ADA98CBEEB47610EF9D5207C390F039
                                                                                                            SHA-512:7496F196A462478A0EDDD5D02F6F7D87894CB9EF15539149680C0E3A14F075DFA2FEACC577E5D34FEF5A4EF03B9B89CA1D249F32EBA9B8C7705D209C1E40B115
                                                                                                            Malicious:false
                                                                                                            Preview:.TH RAWTHERAPEE 1 "July 05, 2016"..SH NAME.RawTherapee - An advanced, cross-platform program for developing raw photos...SH DESCRIPTION.\fBRawTherapee\fP is an advanced program for developing raw photos and for processing non-raw photos. It is non-destructive, makes use of OpenMP, supports all the cameras supported by dcraw and more, and carries out its calculations in a high precision 32-bit floating point engine...SH LINKS. Website: http://www.rawtherapee.com/. Documentation: http://rawpedia.rawtherapee.com/. Forum: https://discuss.pixls.us/c/software/rawtherapee. Code and bug reports: https://github.com/Beep6581/RawTherapee..SH SYMBOLS. <Chevrons> indicate parameters you can change.. [Square brackets] mean the parameter is optional.. The pipe symbol | indicates a choice of one or the other.. The dash symbol - denotes a range of possible values from one to the other...SH SYNOPSIS. rawtherapee <folder> Start File Browser inside folder.. rawtherapee <file>

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\share\man\man1\rawtherapee.1 (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:troff or preprocessor input, ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):4398
                                                                                                            Entropy (8bit):4.600955041903228
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:FR3NG1T8P+2P2DTd/8wtiA07c2SvQTPiu7Yr87jqgDAeNGB3t:FhNn+5DTZ8RA07c2SvbuErqjqgDAeot
                                                                                                            MD5:54952A1861F6282FF3A57F0909FC0AA0
                                                                                                            SHA1:DC1B5CF6C3FA4897C4ECBCCC79E596CDF226BBD8
                                                                                                            SHA-256:8C1CFB7D6CEB81249A513B39FC942A752ADA98CBEEB47610EF9D5207C390F039
                                                                                                            SHA-512:7496F196A462478A0EDDD5D02F6F7D87894CB9EF15539149680C0E3A14F075DFA2FEACC577E5D34FEF5A4EF03B9B89CA1D249F32EBA9B8C7705D209C1E40B115
                                                                                                            Malicious:false
                                                                                                            Preview:.TH RAWTHERAPEE 1 "July 05, 2016"..SH NAME.RawTherapee - An advanced, cross-platform program for developing raw photos...SH DESCRIPTION.\fBRawTherapee\fP is an advanced program for developing raw photos and for processing non-raw photos. It is non-destructive, makes use of OpenMP, supports all the cameras supported by dcraw and more, and carries out its calculations in a high precision 32-bit floating point engine...SH LINKS. Website: http://www.rawtherapee.com/. Documentation: http://rawpedia.rawtherapee.com/. Forum: https://discuss.pixls.us/c/software/rawtherapee. Code and bug reports: https://github.com/Beep6581/RawTherapee..SH SYMBOLS. <Chevrons> indicate parameters you can change.. [Square brackets] mean the parameter is optional.. The pipe symbol | indicates a choice of one or the other.. The dash symbol - denotes a range of possible values from one to the other...SH SYNOPSIS. rawtherapee <folder> Start File Browser inside folder.. rawtherapee <file>

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\sounds\BatchComplete.wav (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz
                                                                                                            Category:dropped
                                                                                                            Size (bytes):428276
                                                                                                            Entropy (8bit):6.886014625114044
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:Ukn3LhQ5oqok5ozff4nrcpfsP5hkKR/tdJJcgLVoUJkKstTQxi7gm95STk:lNaoc5qXyQpf85hkKpJcaoC2qjySo
                                                                                                            MD5:FAB8C7A709AE41E46991BBA2D92D5C16
                                                                                                            SHA1:A319C3B089FF5A2ED057F17ACD205E97870CB3C7
                                                                                                            SHA-256:FB356DA2E0A630B6B3B7CA744FD75E1CD635E956AC2BB590FB0661F576F0D9FE
                                                                                                            SHA-512:758C433AED819D3C4A2EC94A72E1828F3E67F2A6AFD8985132FF94937627EC3907AC103C522A1F663C0D4F6CDFC0D0F66D70C126F398E6C315984F7A3CCE11B3
                                                                                                            Malicious:false
                                                                                                            Preview:RIFF...WAVEfmt ........D...........bextZ...................................................................................................................................................................................................................................................................REAPER..........................................................2010-12-2711-22-26........................................................................................................................................................................................................................................................................junkJ.............................................................................data....{...g...S...B...1...!...................,...L...{.B.........<.....k.....#...l.a.............$./."...........c.}.....(.F.I.h.:.\... .........2.X.C.j./.U... .....N.w...#.........,.Q.....:.\...@......-.2.S.3.P.........C._.....O.e.....(.@.K.^...'.`.u..#"#.%.&.(.(1)B)

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\sounds\Empty.wav (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                            Category:dropped
                                                                                                            Size (bytes):5100
                                                                                                            Entropy (8bit):2.532512620750306
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:qb6h/8qv7OWHpskif7WRDNKEglws/tf1o5S0Vnf9MNGtfK6f6U:qb6h/8qv7OWHpskif7WRDNKEglws/tfW
                                                                                                            MD5:C783110661A725CF8EC24464EC3A8E85
                                                                                                            SHA1:56C0B0DEE000943C15F600D25D2932FEC2487480
                                                                                                            SHA-256:5728F692F64A3CE3BD5CEF9CF8DFCD7987A57AD89ED315900D529A35C7502F7C
                                                                                                            SHA-512:FD1F7B15008F8D3AD71D0697FD1DA36870E3986B28143F45056D50C876EE977F951E2D6F0B7A83EA39C21255D6AE721870B3925F3471EAB4DE58BFB205D60BA3
                                                                                                            Malicious:false
                                                                                                            Preview:RIFF....WAVEfmt ........D....X......data................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\sounds\ProcessComplete.wav (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz
                                                                                                            Category:dropped
                                                                                                            Size (bytes):87904
                                                                                                            Entropy (8bit):2.8320113517950998
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:iUnrQOlMPBg8XMi0zhri0pCnpQ+khioq1a4Yqj2SGZUUmsaMbt/rYxer5:LQOA81VriOiDkItI4HeyUmUT5
                                                                                                            MD5:4CF1D4324A16976A70430CFBA7E07275
                                                                                                            SHA1:D671051E816026B4C2BB165E4284B66461E89E00
                                                                                                            SHA-256:7C3CAF282CF68DC3E114EAEE5007FD949D3622AEE4722B445822EE96A309B178
                                                                                                            SHA-512:54212393458F4607127B9B02BB2989DF1C6A9AADE9FA215103C63D3239AE027B78E74EA5E20F75F76FB5238E6309A7F39D52EB4D1E6C39E45B16296E15FA5C9E
                                                                                                            Malicious:false
                                                                                                            Preview:RIFFXW..WAVEfmt ........D...........data4W..........................".$.+.*.1.1.9.8.@.A.H.G.R.P.Y.Z.c.c.k.k.t.t.~.~.....................................................!.".0./.;.;.I.G.R.S.].^.h.f.k.l.q.p.s.r.q.p.l.m.c.d.W.X.G.F.4.3.....................T.S.............c.c.............A.@.........[.Z.............?.>.............J.L.............t.q.C.E.....................q.q.^.].I.J.;.;./.0.*.+.'.%.&.'.*.+.3.2.>.;.J.L.\.].r.q.....................2.1.].\.............#.#.\.].............a.c.........C.D.........>.>.........U.U.................T.T.....3.2.................d.b.....=.=.........{.}.....H.I.........m.n.....#.".{.|.........j.k.........7.7.r.s.............=.:.b.c.....................................................Y.Y.-...............=.>.........J.H.................0.2.....-./.................K.K.........U.T.........=.;.............O.N.............S.S.............`._.........F.F.........Q.P.............}.{........".".....f.f...........Z.[.3.2.........................2.1.[.].

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\sounds\is-7U25S.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz
                                                                                                            Category:dropped
                                                                                                            Size (bytes):87904
                                                                                                            Entropy (8bit):2.8320113517950998
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:iUnrQOlMPBg8XMi0zhri0pCnpQ+khioq1a4Yqj2SGZUUmsaMbt/rYxer5:LQOA81VriOiDkItI4HeyUmUT5
                                                                                                            MD5:4CF1D4324A16976A70430CFBA7E07275
                                                                                                            SHA1:D671051E816026B4C2BB165E4284B66461E89E00
                                                                                                            SHA-256:7C3CAF282CF68DC3E114EAEE5007FD949D3622AEE4722B445822EE96A309B178
                                                                                                            SHA-512:54212393458F4607127B9B02BB2989DF1C6A9AADE9FA215103C63D3239AE027B78E74EA5E20F75F76FB5238E6309A7F39D52EB4D1E6C39E45B16296E15FA5C9E
                                                                                                            Malicious:false
                                                                                                            Preview:RIFFXW..WAVEfmt ........D...........data4W..........................".$.+.*.1.1.9.8.@.A.H.G.R.P.Y.Z.c.c.k.k.t.t.~.~.....................................................!.".0./.;.;.I.G.R.S.].^.h.f.k.l.q.p.s.r.q.p.l.m.c.d.W.X.G.F.4.3.....................T.S.............c.c.............A.@.........[.Z.............?.>.............J.L.............t.q.C.E.....................q.q.^.].I.J.;.;./.0.*.+.'.%.&.'.*.+.3.2.>.;.J.L.\.].r.q.....................2.1.].\.............#.#.\.].............a.c.........C.D.........>.>.........U.U.................T.T.....3.2.................d.b.....=.=.........{.}.....H.I.........m.n.....#.".{.|.........j.k.........7.7.r.s.............=.:.b.c.....................................................Y.Y.-...............=.>.........J.H.................0.2.....-./.................K.K.........U.T.........=.;.............O.N.............S.S.............`._.........F.F.........Q.P.............}.{........".".....f.f...........Z.[.3.2.........................2.1.[.].

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\sounds\is-GFJSK.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                            Category:dropped
                                                                                                            Size (bytes):5100
                                                                                                            Entropy (8bit):2.532512620750306
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:qb6h/8qv7OWHpskif7WRDNKEglws/tf1o5S0Vnf9MNGtfK6f6U:qb6h/8qv7OWHpskif7WRDNKEglws/tfW
                                                                                                            MD5:C783110661A725CF8EC24464EC3A8E85
                                                                                                            SHA1:56C0B0DEE000943C15F600D25D2932FEC2487480
                                                                                                            SHA-256:5728F692F64A3CE3BD5CEF9CF8DFCD7987A57AD89ED315900D529A35C7502F7C
                                                                                                            SHA-512:FD1F7B15008F8D3AD71D0697FD1DA36870E3986B28143F45056D50C876EE977F951E2D6F0B7A83EA39C21255D6AE721870B3925F3471EAB4DE58BFB205D60BA3
                                                                                                            Malicious:false
                                                                                                            Preview:RIFF....WAVEfmt ........D....X......data................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\sounds\is-VD7CR.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz
                                                                                                            Category:dropped
                                                                                                            Size (bytes):428276
                                                                                                            Entropy (8bit):6.886014625114044
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:Ukn3LhQ5oqok5ozff4nrcpfsP5hkKR/tdJJcgLVoUJkKstTQxi7gm95STk:lNaoc5qXyQpf85hkKpJcaoC2qjySo
                                                                                                            MD5:FAB8C7A709AE41E46991BBA2D92D5C16
                                                                                                            SHA1:A319C3B089FF5A2ED057F17ACD205E97870CB3C7
                                                                                                            SHA-256:FB356DA2E0A630B6B3B7CA744FD75E1CD635E956AC2BB590FB0661F576F0D9FE
                                                                                                            SHA-512:758C433AED819D3C4A2EC94A72E1828F3E67F2A6AFD8985132FF94937627EC3907AC103C522A1F663C0D4F6CDFC0D0F66D70C126F398E6C315984F7A3CCE11B3
                                                                                                            Malicious:false
                                                                                                            Preview:RIFF...WAVEfmt ........D...........bextZ...................................................................................................................................................................................................................................................................REAPER..........................................................2010-12-2711-22-26........................................................................................................................................................................................................................................................................junkJ.............................................................................data....{...g...S...B...1...!...................,...L...{.B.........<.....k.....#...l.a.............$./."...........c.}.....(.F.I.h.:.\... .........2.X.C.j./.U... .....N.w...#.........,.Q.....:.\...@......-.2.S.3.P.........C._.....O.e.....(.@.K.^...'.`.u..#"#.%.&.(.(1)B)

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\09-Gray-Orange.iconset (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\17-Gray-Red.gtkrc (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15314
                                                                                                            Entropy (8bit):5.284250344836985
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nuvm8NYR/fiYdMWIXMXPNAs38FfCVn4BT0liTv:s/nuO00iYuXMX538F4e0l0
                                                                                                            MD5:151BF1A6D7402308311AE0CB91126354
                                                                                                            SHA1:59ED51C10C3A2327BF4A681B6760D5261D8ADAB4
                                                                                                            SHA-256:3FA682AEC3BE1CF88F090DE3AA1C29043EA854F67681E1A4988ED9B5EEE12E0F
                                                                                                            SHA-512:0C9347BAAE733A3FCB6B0B97FDF964474A6703288E8AFB1CF7D34B08128C50CF7FEFCE1246A552FB335DFD9CECE3697C5F30A4B3B5832B92DFB7FCE25BB2201F
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#800000\nrt_base_color:#404040\nrt_fg_color:#808080\nrt_tooltip_fg_color:#D2D2D2\nrt_selected_bg_color:#502828\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\17-Gray-Red.iconset (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\21-Gray-Gray.gtkrc (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15240
                                                                                                            Entropy (8bit):5.281913881221162
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nQm8VYR/fiYMFxNps38FfPVn4BT0liTv:s/nz6aiYB38Fle0l0
                                                                                                            MD5:9C5CADE2B535F72CC5A000689CB9A2D3
                                                                                                            SHA1:CC83D5469CD0DDFD46774FD2651F00AB88B59D7C
                                                                                                            SHA-256:7D42948CBA0A1C72A7904B0280B25039A397AC8FFBD9F392FF848784D8A73CE9
                                                                                                            SHA-512:C8E4679345C92BABCBEA7DAE0A8FB316BBD6009AB8C2FB6277BBB0DEB0F07CB62382A09150B6D37EBE85AC562A366FC8417F31BAA5A7322E46A2ACBC2F056E42
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#B0B0B0\nrt_base_color:#1A1A1A\nrt_fg_color:#909090\nrt_tooltip_fg_color:#1A1A1A\nrt_selected_bg_color:#4A4A4A\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\21-Gray-Gray.iconset (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\21-Gray-Orange.gtkrc (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15239
                                                                                                            Entropy (8bit):5.282415689355835
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nvm8VYR/fiYMFxNps38FfPVn4BT0liTv:s/nO60iYB38Fle0l0
                                                                                                            MD5:3E78B1EB9CF6F1C5BD2C3C0D8FD0CF63
                                                                                                            SHA1:66102FFCE69EE1042CA4CF8AE458E812255804F6
                                                                                                            SHA-256:5FFFC48BBC55B5EA0A6940465F6CBE17DB8C962CFE877ACEEDD46C1B0501E56F
                                                                                                            SHA-512:DC01DFB88CEFDEFD33B9C989006EF0E79110E6F5BE61D23336AD7CC2D936C8283C49F3D1ABBEED2BF05C751E1D19F49B1363905AB1EBB828FC39DA8576772ACD
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#FF8000\nrt_base_color:#1A1A1A\nrt_fg_color:#909090\nrt_tooltip_fg_color:#1A1A1A\nrt_selected_bg_color:#B3641B\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\21-Gray-Orange.iconset (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\21-Gray-Purple.gtkrc (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15239
                                                                                                            Entropy (8bit):5.282699280859126
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nDm8VYR/fiYMFxNps38FfPVn4BT0liTv:s/ny60iYB38Fle0l0
                                                                                                            MD5:D5211F2DA91C68A3C5AEFE99F8881134
                                                                                                            SHA1:E41A6DCEB922123B87B517C1150F84E7995589D8
                                                                                                            SHA-256:57B4F9C0373DEE96BD5099A5D1D82AB88BFCD1C880089418B1CA5E9D57C7E575
                                                                                                            SHA-512:E7BCDDA191F4FD390E0D388D442056495DA1C7A2301762BD116E838728B32F1CA992389CE9C5C692E34F46F023010661FC67B18B7B0E4D6467D47D5E4CFC2709
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#843382\nrt_base_color:#1A1A1A\nrt_fg_color:#909090\nrt_tooltip_fg_color:#1A1A1A\nrt_selected_bg_color:#5D235C\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\21-Gray-Purple.iconset (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\21-Gray-Red.gtkrc (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15239
                                                                                                            Entropy (8bit):5.282174443982065
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nmm8VYR/fiYMFxNps38FfPVn4BT0liTv:s/nN60iYB38Fle0l0
                                                                                                            MD5:C3269CDBA36C727D93539A43D317F22D
                                                                                                            SHA1:46BDA5118D7B46D5BD440BB07A20C0B579E7E9C3
                                                                                                            SHA-256:CA57AF744007A9A701689FD379642707208098E4E0FB22CDE4A772E90C19BE0C
                                                                                                            SHA-512:692307A48C72346006755CDDE3A537CCAD4B837CF77F58D9B86F3CCAD421C3D0A346D9D3A874EC37B3F874C7130CF4CEA044CBC694B189D649500734E394CEC4
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#800000\nrt_base_color:#1A1A1A\nrt_fg_color:#909090\nrt_tooltip_fg_color:#1A1A1A\nrt_selected_bg_color:#703535\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\21-Gray-Red.iconset (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\25-Gray-Gray.gtkrc (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15316
                                                                                                            Entropy (8bit):5.285205732529683
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nfm8NYR/fiY3FIXMXRNAs38FfCVn4BT0liTv:s/ne00iYmXMX/38F4e0l0
                                                                                                            MD5:D7F0E29E72DD6DA10FCD68F9CB000306
                                                                                                            SHA1:6D1350F4EB13226E24BEE8CCFDC263F60378736B
                                                                                                            SHA-256:8C9BB9F265CFF75693F8931DA1394C4570EC2B7659513191FE8C3FB714A5689D
                                                                                                            SHA-512:541BA15E9F02D24A63B1246C86E934C39B3CDDDAAFAB683AE9D9459BC2105C5F0B401E111BE3663397C08774D4CC5D3A11AC31B40E250DA863C17B063247C003
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#606060\nrt_base_color:#525252\nrt_fg_color:#979797\nrt_tooltip_fg_color:#A0A0A0\nrt_selected_bg_color:#606060\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\25-Gray-Gray.iconset (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\25-Gray-Purple.gtkrc (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15316
                                                                                                            Entropy (8bit):5.285295459413386
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nFm8NYR/fiYDFDXMXRNAs38FfCVn4BT0liTv:s/nQ00iYZXMX/38F4e0l0
                                                                                                            MD5:0CF26C1BADDF39571F585154655499AD
                                                                                                            SHA1:4E7D1A090064F5FFE2D52DCF36C709E79FAFEF1E
                                                                                                            SHA-256:8A856FF0BD64F6B664FEFB5169DFF7DFA2AAE97473AA816FE0581E3D143BC4A6
                                                                                                            SHA-512:484D0505892922C4E177A9D2E1ACBB4A79FCED4C74308A46EF7513ED86ACDD88980B2009A2045DA990019EBCF74B5586DF54DD1D25BDA781B1235CA7D526E413
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#843382\nrt_base_color:#525252\nrt_fg_color:#979797\nrt_tooltip_fg_color:#A0A0A0\nrt_selected_bg_color:#5D235C\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\25-Gray-Purple.iconset (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\25-Gray-Red.gtkrc (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15316
                                                                                                            Entropy (8bit):5.284681761910495
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nsm8NYR/fiYDFDXMXRNAs38FfCVn4BT0liTv:s/nP00iYZXMX/38F4e0l0
                                                                                                            MD5:2A29C612DFF9BA6163D34194964B7EF2
                                                                                                            SHA1:D16222891914A017082B2DD5B65645DF15F1E1F2
                                                                                                            SHA-256:8ABB9629C678F47070BA7E2AEF63F69FA62ECB2E4FF47AD64A0D97852EC5C934
                                                                                                            SHA-512:D3F9016775265CC081569F90F57BEB8ECACF4A4A38A6CE3649DC6941C89CB1C7A601ADC5BC6C19660A3B885085A603E8FD5F0B0C30EA829D935214117FCAE599
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#800000\nrt_base_color:#525252\nrt_fg_color:#979797\nrt_tooltip_fg_color:#A0A0A0\nrt_selected_bg_color:#703535\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\25-Gray-Red.iconset (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\37-Gray-Red-Textured.gtkrc (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):22741
                                                                                                            Entropy (8bit):5.302263346106244
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nSm8PYRhznY/rgXbXRN0s38FfCVs4BT0lUTv:s/nJCCnYsXbX738Ffe0le
                                                                                                            MD5:44C5F257A2270D848CD5E44C7A2BFF03
                                                                                                            SHA1:9897E8208E3E3BF72B033D836CE1D01BE4941C75
                                                                                                            SHA-256:26DB2B06594083CC13085C8ABC903D27922F8405102A864102073D76D97F673B
                                                                                                            SHA-512:3D04E0E82D01691AE2DF289F7A7CED2E0219375296ED28157B90D223897066E825FD43577A0D1736BD1432F2081BF7966567DC64EE933BF687F74A58A9D8C968
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#800000\nrt_base_color:#707070\nrt_fg_color:#A9A9A9\nrt_tooltip_fg_color:#A5A5A5\nrt_selected_bg_color:#562020\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\37-Gray-Red-Textured.iconset (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\37-Gray-Red.gtkrc (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15436
                                                                                                            Entropy (8bit):5.281175225799727
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nSm8NYRhznYEFEXbXRN0s38FfCVs4BT0liTv:s/nJ0CnYFXbX738Ffe0l0
                                                                                                            MD5:5326376204234C52BF4638EED7E78F79
                                                                                                            SHA1:6F52624611F604634EC2C2CB3248B826EFE1CB3C
                                                                                                            SHA-256:85E35BC02C414BB40D2E06BD827C4DD24E42F39BACF51281BDD33E88C5A0E557
                                                                                                            SHA-512:CC778FCBA32A975BE9431B9F6AD76DF4145CF29B8D133BC375EE12DB675B7E837CFEC916A1049572FEBEA6F70D8911B378BE6CBE7569E293D90FB3F118C1AD91
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#800000\nrt_base_color:#707070\nrt_fg_color:#A9A9A9\nrt_tooltip_fg_color:#A5A5A5\nrt_selected_bg_color:#562020\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\37-Gray-Red.iconset (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\63-Gray-Cyan.gtkrc (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15079
                                                                                                            Entropy (8bit):5.28265925029125
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:s/n/sMm84wYR/J5iYY5M8Ex8BDNRoXPkXPiSc3d/KbjcW6Nn4B80lkGSrT9xIHtw:s/nlm8NYR/fiYzRXMXcNLWE4B80lAT9
                                                                                                            MD5:5C5BBA3EB67B730F9D27613787AD56C1
                                                                                                            SHA1:780C18DC24B087D6546DF76F3B6146A6063C62D6
                                                                                                            SHA-256:D81FE559C6EA8111E29EB676F1F861982885C05BA9C6126B503293883190B82A
                                                                                                            SHA-512:EDE31EED39D520618E311EB8F6ADD2B9165A1B7085BB14FC463E9213C4C1569FE8F75E74B12A87F0504AFDDECA65FF6843443EB1B949A1F5AB05CE2DE3C8A2A3
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#95B0DB\nrt_base_color:#dddddd\nrt_fg_color:#0A0A0A\nrt_tooltip_fg_color:#000000\nrt_selected_bg_color:#95B0DB\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\63-Gray-Cyan.iconset (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):24
                                                                                                            Entropy (8bit):4.136842188131013
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAqRv:1+MJ
                                                                                                            MD5:2BE834BAC02BFB69E1E7935A62A6B8FB
                                                                                                            SHA1:6165F776AC298A991E497B03E9C2E1797ED81029
                                                                                                            SHA-256:113DBDDEAEE29ED930AF404A0C0D5356A95D9D1B53BAE343F2782A29B5D4DBC9
                                                                                                            SHA-512:1F3BC0176EC15394E6CAD295A077F33C66BD9FEA4598715B5EDED4DDE397DE519FFC6D171E9DB53A09A50929FE6D8EDE5D4D51B5B786A0C3BE6481CB7A5BA4FC
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Light.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\92-Beige-DarkCyan.gtkrc (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15008
                                                                                                            Entropy (8bit):5.270725103917416
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nUm8NYR/fiYM8LXMX5fs38Ffx4Bf0lAT9:s/nX00iY/XMXq38FxK0lq
                                                                                                            MD5:64C98ACB587FC7E4F237EADAA84A591D
                                                                                                            SHA1:B92C3D066E67FC230D56E690AE1CC21222265614
                                                                                                            SHA-256:6E8E87C68E7EFC5CCF8694042649DE3EBA01EC1DF242C22D40842AF885D1118D
                                                                                                            SHA-512:B1542C0E3D5411CD8581150FE2D81401C93686E7E43754E8BF8F78ACBEB73A041F7D9223D7DC8072C132273D1DB6EB9917ED04F9F2123C1CEA4062E59CD7F129
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_base_color:#ffffff\nrt_fg_color:#101010\nrt_tooltip_fg_color:#000000\nrt_selected_bg_color:#7C99AD\nrt_selected_fg_color:#ffffff\nrt_text_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\92-Beige-DarkCyan.iconset (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):24
                                                                                                            Entropy (8bit):4.136842188131013
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAqRv:1+MJ
                                                                                                            MD5:2BE834BAC02BFB69E1E7935A62A6B8FB
                                                                                                            SHA1:6165F776AC298A991E497B03E9C2E1797ED81029
                                                                                                            SHA-256:113DBDDEAEE29ED930AF404A0C0D5356A95D9D1B53BAE343F2782A29B5D4DBC9
                                                                                                            SHA-512:1F3BC0176EC15394E6CAD295A077F33C66BD9FEA4598715B5EDED4DDE397DE519FFC6D171E9DB53A09A50929FE6D8EDE5D4D51B5B786A0C3BE6481CB7A5BA4FC
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Light.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-down-ins.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):137
                                                                                                            Entropy (8bit):5.815385299502723
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:yionv//thPljll8ll1Aqg/ml90lvGdw1CwHTQ5NsEZxKG2mpFbp:6v/lhPW/WqgmnBdw1CFNsgdLbp
                                                                                                            MD5:CE4C02BA4708A1AAB1572A9148A94B95
                                                                                                            SHA1:E90673F72B063A610E7383EB7DAFEC7F0BD35549
                                                                                                            SHA-256:6E1332235BB51B2E29B244E5056A6C82015A5FEE79DB2D3A553CD6610DC3BB04
                                                                                                            SHA-512:902C214744235E7CA936D2B16215B63500BA980C00ADFD3773D2EFA65E12FD3EB34DA4F430024BEF2F781F762E4A938778C6AD71AF6D86A9CF02EF53C41E1233
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W...PIDAT8.c`......._..........H1.....8....XIu.... ..b+..E.$..(.+. ...( .4.e@x4..G..6.g...t....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-down-pre.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):194
                                                                                                            Entropy (8bit):6.478660891705174
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:yionv//thPljll8llsAX81qfqjovwzflWfXbbt8i7ltydfIxDGKuQ11iEUvWK2K1:6v/lhPW/sAXkDokflSoAkpOKtMyldp
                                                                                                            MD5:88BC92E4CF3288BA93CAF398950874CD
                                                                                                            SHA1:F1B9F2C5EF5566C5BD983B5E1B3DFF17B06412F2
                                                                                                            SHA-256:258CD3545E4E4A9CF32F31FBD1AAF19869118F2B32CC8AB88C421D53F0A63D6D
                                                                                                            SHA-512:07DCA4BFC9581F425D7BAAB13E91668A0F1C832518DE7E98C0F872A305401B68B1D1C6DB56A81CF55A81E6587DD57168AF49D5676FF24C07A0BF6B0E04FADF8B
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W....IDAT8...!..a......I.h..y......U...,.@3:O..E!x/......Q.@..9........{..b..U.0...&HQ.5........P.W ..;......hc.3.....B.}........h..f...;l^.. *.....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-down.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):206
                                                                                                            Entropy (8bit):6.093633689706192
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:6v/lhPW/f19VNtTlMGBSCghX2AGBIcDV6fr66Vp:6v/7uTVPTChXCBN8fJ7
                                                                                                            MD5:2DE4E41A0E31A4C0FBB2D7FC3CBC31CE
                                                                                                            SHA1:0704F540352C579647D28E5E7821D7CA7FCC6613
                                                                                                            SHA-256:FBEC4D0BC6ED3DFDADADFFD10EB9F04058DFC11E7248DD73814E7806E58795FA
                                                                                                            SHA-512:FE60C53AADB80B6B922E17B822710A6820046C07D2742694BDF3019DD025EB8ABF4366849BE789E122B7053D5B7798D1CEAA9A296C3D007C557D95CDFFEC0115
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W....bKGD..............pHYs...........~.....tIME...../..v[....[IDAT8.c...?.50.A.o.../...hx)T.h.x....Lp..yI..?..D2......F.@....P1..[.....C ..4...m4A.G..F...=.G....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-left-ins.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):135
                                                                                                            Entropy (8bit):5.763983120472731
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:yionv//thPljll8llrAkxHgbcMktxY8ot4sUnG/QgjOD4l+dCKolkup:6v/lhPW/skd/Mktx+thzjOciCflkup
                                                                                                            MD5:C1E1CF920D57580A1337044D9244B41A
                                                                                                            SHA1:2713C8C06B08A204042B3BF92F6E31724E965E81
                                                                                                            SHA-256:8BFC445B29843719FB37F265F727D4E9E6F6C0814F054A6330C096022CA7995A
                                                                                                            SHA-512:87968296D3A160EEA1C3CE012300DF21CC59ED57ADE023B76E9238AE37F491B3F585663CBC4ED86A99EA1E3C4E392672E0CEA803A2641C9F05651E62240FF358
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W...NIDAT8.c`...........(5D.....\......S.8....1D..#...QjP...A.....E^C3P....z.......g...7.....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-left-pre.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):195
                                                                                                            Entropy (8bit):6.589496150082679
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:6v/lhPW/YkNWoInpCU14phhk1NWMUGHgyU/Hljp:6v/7uSoIpCUKhhDMUrymlN
                                                                                                            MD5:3043F969482A1E805E6DCA44A6072881
                                                                                                            SHA1:B5764E5B1B26D11737D9307A70E14403E7063A4A
                                                                                                            SHA-256:10A3799ABAABF93F03FD86A23FAFC6C68EB04B5BFB86497F04505DF151E1177E
                                                                                                            SHA-512:3BEAAFABEEF07E3BB7E95DC6C761157C38B9B2B2BDB99C517C073AA137950BFE010C0BDFCC29E955B6A46D6BEED4AB4D8D8D1EF580DD23E8A6B0F471E1FEB4D3
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W....IDAT8...?..A...E....F'.j....DG.U$......N.|.....r..k.d.,..$4P.)R..}.F/.h..)...Q..c.%.x.t.8.jc....).......,p.3.i.k...v.F...X....^...Y.........q.....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-left.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):208
                                                                                                            Entropy (8bit):6.056729441397141
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:6v/lhPW/f19VINtlMv+YftbtCETdkth4EN0QIVp:6v/7uTVI6T6T4ENRI7
                                                                                                            MD5:3DBA17AB50E1923EB74BF395677EFA06
                                                                                                            SHA1:F293297F4127A788E07D365FD4AB5EB19C7383C4
                                                                                                            SHA-256:33BF303743432947AF7E5E4FCFE7A7FF453FCFBFA6ABDC24671071B7C205DA84
                                                                                                            SHA-512:618BFD415108DDB51B7A1D1003D5E40A417BA36F612EF6FBB5F627AE7FDA2388AC2F08F8BFBE5CF6F172DF26737773C902A85FD98DEFB0CD7DE94B3CFF77FAD6
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W....bKGD..............pHYs...........~.....tIME.....,"E......]IDAT8.c...?.50.AT5....(1......../%. 9.._.!`19........,....5..a) ^..?)5....@|...F.<.F.h^..A..p..:.j=....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-right-ins.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):128
                                                                                                            Entropy (8bit):5.703022629772099
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:yionv//thPljll8lli9uOgkBCvMibqMGuNGpNfodyfsiB1p:6v/lhPW/i9uOliMibqMGjAMkijp
                                                                                                            MD5:65B820457098F3E41079DB7B024D6911
                                                                                                            SHA1:2D35F7523C5F990B810FAD7E2DFB1E2E46DC94AB
                                                                                                            SHA-256:3CA8816EC6B9E88958D7D33C3532CE57223E5B3454D2AE329A54C964590034D6
                                                                                                            SHA-512:52FAD1A53340EE03016E6B63364EE937BBA8C1FCBC8F491011D707102100F9BFCBB62C5D0B9D3F40BF8CEF48E4E9566271019CBA10CD57C4ACFA05EF210DF4E8
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W...GIDAT8.c`......./...0.....X.R...8..S.....(5..#.X...EQjP.4.x(.l...........g.*Uug....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-right-pre.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):193
                                                                                                            Entropy (8bit):6.5470203907323725
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:6v/lhPW/bkgGNdjs2jOTS3Bs077TxUVxhlup:6v/7uzkgG7Y2yU14lc
                                                                                                            MD5:8FB0652E37E5375EFBFFC85E000333EC
                                                                                                            SHA1:98DF46702AB67C5CFF30922BE409209CEA30A6B5
                                                                                                            SHA-256:90939B8E3B4A568724143D056A93CD7B5528D4841A9D11EA0A4B11C2A35A4E03
                                                                                                            SHA-512:EF67A9624AA003A77724CB90F456A84181746E585003B31AE714A2870FFB3B2F069382CD7DA464FDE6BA68C37A94AE42CCB58B80E0608D41EEF30A81260D5545
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W....IDAT8...1..Q...Aa....R......h..~,...:..)..S.7.f...r.I...Rd...a...X..g<p...tBE3\.....&.rU^.WW..!FTF{.5....8b.>.1.o.,.O..........i......IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-right.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):139
                                                                                                            Entropy (8bit):5.9354638900987355
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:yionv//thPljll8ll3MOgkBQTBlH/DVgPMWwnPUmLdeAkhBsF6c4V1B/0wXjp:6v/lhPW/cOlcBZKkWoLdePhq2BcwTp
                                                                                                            MD5:5EACCA1FC3A11F7E844B3809D9CAA537
                                                                                                            SHA1:86AF79F715B3921E507068558EEDC94EAAC677C6
                                                                                                            SHA-256:57A9751B8A85FD13C3F0C9EEAEB3B905D7B8802779EFE407E13444468A15C396
                                                                                                            SHA-512:997D5D631FF90CAD01D1613A347BF2C1F9D0723AF29A5CA52494BBEF97F4FA50040B171FD371F8A8FD31DDA2933EF0752ABC3056625A9DB747BC5E24EB6F7CD2
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W...RIDAT8.c`...........0h)._..` f....!...P9J....@.F.....;%....@,EI`..b.J....<..a.....z...l....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-up-ins.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):137
                                                                                                            Entropy (8bit):5.807754777184353
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:yionv//thPljll8ll1AqgRtKq2HYGHgsG0z4H1iBLq/bp:6v/lhPW/WqoKq24Psjz4H1ipep
                                                                                                            MD5:BDBB9972D9B7265AD10EDB04A9C2E239
                                                                                                            SHA1:DCA1CBFD90B5C644E37DBB6748227E3EB472E0C8
                                                                                                            SHA-256:866FC4117FC8B133D84C9AC96D13A37E99EBF626CEA47F0E8B059B6641FFC7C3
                                                                                                            SHA-512:BA6059567C6EF35161BD3A82D320EFB8E16435EBFF9CA851AC724A58F45726621BCF7F380DBD2A94A29B5DD919FEF294E7440B31F2B2FACC42AAA1968144020D
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W...PIDAT8.c`......._..)5...#.8..y(1.....\C..8.. .[.TCX.8........b...+@.Abr.Ip....2g..F.....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-up-pre.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):194
                                                                                                            Entropy (8bit):6.427379953657502
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:yionv//thPljll8llsAX81qfqjovwzflWfXb0oWhAm2KWmLk8vJvP+u3tKDhqcl1:6v/lhPW/sAXkDokflFoWhAmtW6k8ZUbp
                                                                                                            MD5:830FC62D759022DDBC665F1D8D2E9164
                                                                                                            SHA1:84FBC1F8F3770905AB365D465C956756FD62E15A
                                                                                                            SHA-256:0D0ED367EC6578DD5DB6A3637A5CFBF6DDEEB1CE12953C1DF09FEF8F8BD897AA
                                                                                                            SHA-512:B948DD792BC0379AFF1DB46A8ABFE5803005E3C5C1BC2F2ED382C4D5AF09DCCA7C8F98400B46B0C5CC1100CD492A8D1C3B90A5BE9B2C5EA2537DAA7911B3458C
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W....IDAT8...!..a......I.h..y......U...,.@3:O..E!x/.~..h..f|.u.....4.]hc.3.....@.!v...!.+PC.k\=.A.....1...0A.*H.c..{.Qb..RTA..r.(P.@......;'...!\.....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-up.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):220
                                                                                                            Entropy (8bit):6.113077361175645
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:6v/lhPW/CsQH4dKcDA/M+DPu45sC93H5Adp:6v/7ugHcZuK45sC9X5C
                                                                                                            MD5:0BAE3C12DFF85642E6DEBB90607258F0
                                                                                                            SHA1:2B369328373C449DA154FEEC4235464F53AC27FB
                                                                                                            SHA-256:8C41C0E27B9D85D5D49BF44F00A096FA18680E85077FFEB9EC65750F1EFAAA41
                                                                                                            SHA-512:D86BAF78EECDFB96E857D1749BB0580F6230F83D54D4F4843F94EC6335AF339D22560A00907E897A9BB427200305B83056B4649321ABE0C719DDCA89549639D0
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W....sBIT....|.d.....pHYs...........~.....tEXtSoftware.www.inkscape.org..<....YIDAT8.c...?.50.A.. w v.. ) .....X.\...x...X..#. . ..d./ .&. . >...\.b^R..ze1.^...M... .1.....d.....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\button-insensitive.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1128
                                                                                                            Entropy (8bit):7.702657785044095
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:CiUpjur3mHiYuZssTwiTn7JgcOc/irhx1F613aC8BLZ2cL/Fsc:CNpj23hnNTwiTPzU6t+JI4FN
                                                                                                            MD5:3F6A543B6C75ACB2EE000A3BAC7B9A59
                                                                                                            SHA1:A53275A9B4F65393301A1C787B67E87FFDA8234F
                                                                                                            SHA-256:3FACB849498CFA7CCF96BF7B02C5792C0DC49374EA7DDDC8F78E7ED53A96C72B
                                                                                                            SHA-512:E9E98AFF394E4ADAEA3C79096BD8DC865EF539D67F9E3030FEB7F4FACAACC1278606592228A19733AF99128966530CEC1363E9C6DAB6C555DFC0D8C7ADB51517
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR... ... .....szz.....sBIT....|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDATX..=SSA...........G.+F....._daaaa..a.....JG+.... 7$ww=g.ws..A/n.~.>.y..+}......=%.Tn..m.....Bt.....N..'.....Z.'...........;....[.d.....~.....9.LI.?>W.........It.W..m...N...x&8>.....}....0....JoU,<X$G..m..YV......w..L...:n..FJ..!......."|.......C)........)p...)F....[.Y..{..jZ@.j.s5xv.W.|L&./.^.u..y....h..4.9b..}$..q.....".....{..p..9;.s..Ul.............^......p...d+.....u......tZ...B......d..Z.....q.....'H.}...g.jl....~a.ng...m.....mw.fp..0....,MI..v.W..7........l8.s.K..*.2....qB..|:.\[...Nje...!..L.^q.Z.hU..f..35s..hK.......R.. $.-..:.......7.p6N.i.+.....u..!RE8..L&...U+...s.x.O.s.H.U.R.E..>z.".......".DB.....9F.......h...W.<.....KH.DO.}.q.!.*....<8.c.J...A.|.S..}.d..ZL......vh....<.#.......W.i..+...m....p...8..Q......A....7..f.sk=.....!.%........tY...S.+...t.Y....1.97P!..a....a.%.m9[~I..K.?..tB.v.L&.[-.h...D...J'......Q'4...59.......I.s..

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\button-normal.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1497
                                                                                                            Entropy (8bit):7.768741056434717
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:oqyoicsCo1Rd3ASFaaFX4FumgLpc8ut4qzrtpei0AF3BkNmhqCTEOU:eznTR3YaFXSiut4qzrtbeNmhTE7
                                                                                                            MD5:F860FF3693F12371577E33808AEA17E7
                                                                                                            SHA1:10EA223E855685506460EA8C3FC9427350CAA1E2
                                                                                                            SHA-256:B8714DCC43D031A602E3C560EBB1A07C1A892AB84E34F06EDEB03B59FEB09BD6
                                                                                                            SHA-512:6A6307796F6C6D5FEC3A0B4168DCAD5E6B15008D5CC247B562ECE25E25B87AC40ECB372038E351674FC75AB391CA23E47B8DF1966D2849DC3DD0ADFFB7CEFA62
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME......3...g...YIDATX.W.N#G.....`.......6........O&.b..@......`....J..)... ...0..Q9..n..1.LK.vwW.s...q. .x.........~.+..V...C..G.....4M.,.B.^.......w...1.}.33X....z....[,Jfgg........Z.R..'..y18@I.G....www...u...6ZYY.....w,KH.....nnn.....[\\lLLL.7..z.........$.,.3~||.......uOOO....{.........................1..XkC...}...D..M`.n..i...6dvNNN.9::........j..[.sssMX.I.........~B...`.(.....n...^]]].......hdd.k...o...rp~Lp.....%..*G.$.k4..\...6..:..._X...Yz.J0..`ll..).R..(...s... C.....J...0+x6m.A.J...X90L..~.i.H.(..?....`....|...}.......*d.>...v G.9....AR.W...H.$......H.i..?.)..<..)..Ps..<.x.....Lc........E}.,.30.5.p.........$.Et....\E...!.Fd...e......5.Q..s.I.B&.}..#.@..j.E..d..... `h=QL[..2..+..M.C.....k.s.i.I.3..+r.Z]..G|$..U..!..........{..J...T....K..e..1.e..[EY+.(T.T.<!.Y.I.....O.x.\L..^c..FHH.S........F4.f.{....S.....*eS. ..4....(...eQ.|9.....!.R4.X.+.<..!..

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\button-normal.xcf (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:GIMP XCF image data, version 0, 32 x 32, RGB Color
                                                                                                            Category:dropped
                                                                                                            Size (bytes):3977
                                                                                                            Entropy (8bit):5.413488066014333
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:7dsNCv/C/CVGhkFTKfyeeocjI4Dc8oPjZ/narUX0Zwnc1ZHHdOkdsFVpAa:KcQ2Gyejc0QoPjZ/KKgwniLsFVpAa
                                                                                                            MD5:1339E8669A986ACB3CCA794EF7E67ABB
                                                                                                            SHA1:8295D74B144481F86B928D0C9A2F16AE0FF86F7C
                                                                                                            SHA-256:4D58C67A4095BE33201E16C2545B28DEF1CBA2D7690F0540877866CFC7ACE230
                                                                                                            SHA-512:DF9AA421947EF90713D0F9D2648803DDC975DB7FDB67F2941A9CA7FD489C9734081FE085C4ED4335C798A05CE2028D84C22A4948C558FDCBE86593CFEBB6A796
                                                                                                            Malicious:false
                                                                                                            Preview:gimp xcf file.... ... .....................B...B..............?........................gimp-image-grid.........(style solid).(fgcolor (color-rgba 0.000000 0.000000 0.000000 1.000000)).(bgcolor (color-rgba 1.000000 1.000000 1.000000 1.000000)).(xspacing 10.000000).(yspacing 10.000000).(spacing-unit inches).(xoffset 0.000000).(yoffset 0.000000).(offset-unit inches).................................5........... ... ........New Layer............l...............................................................................................................+...........=....... ... .......Q....... ... ...a....E...............................#.E...............................#.E...............................#.E.............Vq.q.W......?......?......8......8..............#.... ... ........New Layer#4............................................................................................................................'................... ... ............... ... .........................."..

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\button-prelight.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1442
                                                                                                            Entropy (8bit):7.754161124979248
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:oq2vym+9kVWUOASjz39hd/9uinkxIyJubx/98nDDJFPyvfCDFHTCyFm+3wTf8f4C:aqmzV9az39z9hnkx+2DfyyD9TFAAwTfI
                                                                                                            MD5:46934D3CAA685BB0DBECF20BAB8BC317
                                                                                                            SHA1:DD61BF668D265AB3FBB61C6CB6CF25778632154F
                                                                                                            SHA-256:AC57AEA1D66661974EA2922733661B27D26D3C2026321E77A2A9ACE1CDAD558C
                                                                                                            SHA-512:BCB6D969F8823196652B4093988719C9F51940890D212A0E743CC887C46BE3DAD00D95B47970F1E682F3A40E7F7216EBFD4B37626AE130FE57F7F3CEBA718AE4
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME.......E......"IDATX.W.J,W....jm.A#>AA$......$....q.....!B.Cp..;1...p((...G=.Vyve...+...>g._....q.:..[__/.--}.....w..X.s.....y...N.EN..9.<koo.smmmknn...!V.b...OOO.8==....'........;;;}...}z..+.....vrr.8<<.........._....755.............r___G[[[+....%...z...\..T*..........Ay|||.........O...w......._utt..D{.T*.......1H..;.Z-......u......?........../....J.......m....F.=D+Rk.....PP.\..Ix....Z?;;.666...}.xW.{Z\...j....c...X1..zm.>..y.!...S.u.....o=l..n..._.f....R..P.."....~..8......l..`.;..B\........>.A...7..Q.F..4..=./.B.......eY..$.<..r....A..$.$.<.`)...........C...V...8.......^.....D&........r..Y9.K.....8..C.....%.UV;*....^. .d.....v. ......M...X..M..zR...H...'..'._dS..P.?..2S.MT......4$.....k...=.eL.^z.....X.e+.......$..sG..qm.vB.........&..I..+W....Q. ,.M.+.-Q..$<!.t....wi.rA..(v.kW..&.p.-.(..u+.j.5.y.....2N.....0....kW....5.y).J1. xDW...x..0.d.p.\S.d......l

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\button-pressed.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1555
                                                                                                            Entropy (8bit):7.796645823149652
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:oqhLS0rCCBSazjoXK2RM1EpIuNF0piVLDlZLfciK3ZCHBJW:VjrBBSFXKP1ECuNF0piVLDlBfcOM
                                                                                                            MD5:486390A2CE5B4CC1393AC254780A7C7C
                                                                                                            SHA1:4305181EC1910A666A47C3715D27F5CA6991D688
                                                                                                            SHA-256:AB3BDFDFEED5743FD4AF47B0BA6AAAD914661DCE381A6FF8C8C8994363F83909
                                                                                                            SHA-512:F3F6051BA679C6F329A18E97F12CB6FFD9ED18D0F054C79ED9F2FB5D23F0484A12DB0FD16CD47F52B67E3D617F9BE728F9BECC850CF6A61FE9B74ED9701C2DD1
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME......._......IDATX.WIO#G...+;.Ab.@B$...&...Q.?B2Q...[...8!qEB......bK.....-!..n.....Twlfh.T.v....Wv...eY....Fjiii.R.|..T*.:..a.^.@.U..Z.......~yyy{vv....F.."..NOO....z...S...+....:;;. ...n</....^.xx(_^^.'''.;...mmm..eU...^....011....L.......-...y..Vx...}...A.X,...>..............G....|?99.077.=00.......L&..h._..e..*..U(X....w......w...?.;;;_.........`_www[___..@.Q.H.O..........$,..r.J.P.nnnV..{....{j.....B@..c....!....u....C"P4M.b...V`./<,|.....t...J6...^...H.3..-m.}..5..)..A.0.-Z...!.......V....".:....Y#..z$^H.......eZBa.[..cXd....P:f.P>.&...<....-..v.2..J..DV-.5..i.Z....F....u E.%9...(p....Bpu...Gp...P.]..j.....U..i.!b...*..I.NF(.5.."-.n..L.V.1I.L.D>-..2..Ih..}.J*.`;.......u..*..0..=CC+.P.B.i.@...+..............:1....N%.M<e.....XAUF.W.Sb.M.f.=G...*.be..j.'/...$#.H..0...^......=..u.1s7.B......L....RO.L.Y....T....].Lk..SS..I(..4.Lwf.3N...=...sF#..o9.MK."`...

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-008N0.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):593
                                                                                                            Entropy (8bit):7.479894563773081
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIniUpZzmH9D1hP79P2J2ySk9BvSpqKu6kZPdiaXVygV271:giUpMDrD8J2ySMKIZoaX0gV271
                                                                                                            MD5:FFCCEC64441F01C7AA82069BB8D5E9D9
                                                                                                            SHA1:45C02522F48129065104E1C9B4E6AC63434CC7D9
                                                                                                            SHA-256:B8CEB44936275B37F8D08F71F01F223866CEE50E53182D529A3768514A8C7662
                                                                                                            SHA-512:E8709643F6C4CBAA98F7BF870028664324DE673141F1B9FCE995A03D011C4374817846DCED739B4A3DD37D315A474F739ACAD2933ACA63C67FA0216356B8E608
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sBIT....|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDAT(S...n.@.....I#;.X.j...U,.@..x..Bx.D.....W..X.b...Fqq.Z.RED8...3.s..l.H..9s...9:D)..1^..m.........R.@...>.T...97..=..z[......i7Q...<...F...di.......R....]...F...u.......W?41&v.6.O^.%ko.\".qH...)....$..z.NJe{o....."..N....NgXDK.q...y...d.@.q].20.9..(...A.a|~.J..F..$..2pn....$....N.4.2AR.R......`"3..R_....[v.h.n.!...5Gq..QA.Y,.....\..Z....{.h.............mU-..T.Ga..0.{....w..$K..?oN....4KW......'^py.fd..L.)L.z.O(..D..)H...............<....o....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-1K2KP.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):220
                                                                                                            Entropy (8bit):6.113077361175645
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:6v/lhPW/CsQH4dKcDA/M+DPu45sC93H5Adp:6v/7ugHcZuK45sC9X5C
                                                                                                            MD5:0BAE3C12DFF85642E6DEBB90607258F0
                                                                                                            SHA1:2B369328373C449DA154FEEC4235464F53AC27FB
                                                                                                            SHA-256:8C41C0E27B9D85D5D49BF44F00A096FA18680E85077FFEB9EC65750F1EFAAA41
                                                                                                            SHA-512:D86BAF78EECDFB96E857D1749BB0580F6230F83D54D4F4843F94EC6335AF339D22560A00907E897A9BB427200305B83056B4649321ABE0C719DDCA89549639D0
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W....sBIT....|.d.....pHYs...........~.....tEXtSoftware.www.inkscape.org..<....YIDAT8.c...?.50.A.. w v.. ) .....X.\...x...X..#. . ..d./ .&. . >...\.b^R..ze1.^...M... .1.....d.....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-2UVOS.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):324
                                                                                                            Entropy (8bit):6.776590990847706
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:6v/lhP6IcHMRfCCllSP7k0Rt64huUPOfsIuDRWi9I1z2He4hsCvJgVm/kup:6v/7iIGMfbll8g0RciuU2fy9I1zg3lJP
                                                                                                            MD5:389BCEA15865028B56A0A70C87E13DCA
                                                                                                            SHA1:B771E6A3E73B2B3E4B440B2E59D98E9D7F3B60C7
                                                                                                            SHA-256:5CAA4636ADE7C9B36E257D1AB01D06FDA59310781F4C1E5B527342D5DD8B8DE3
                                                                                                            SHA-512:BDD82387E62B1726B402B1BE8B87CD2BF02C794A77525E4780A96DAE71E6CBF5F17261706A161A7AE1FDB8F15542DD2A3046ABE0A3328B5139C99F9F9CDDDFA3
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME......*........IDAT(.....0....Uh..C#`....&._...p%..qs.....H...K:....E.S...u....TU.+.R5M..B.m..y.._... ..Zk9M.`.}*.>..C..8.:..I...8.....a.v.......h.b..A....n.T...C...c.%...G..i.2J.+.J)GB...wY......:...,.D.Y?..F..Z.....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-3HH9H.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):135
                                                                                                            Entropy (8bit):5.763983120472731
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:yionv//thPljll8llrAkxHgbcMktxY8ot4sUnG/QgjOD4l+dCKolkup:6v/lhPW/skd/Mktx+thzjOciCflkup
                                                                                                            MD5:C1E1CF920D57580A1337044D9244B41A
                                                                                                            SHA1:2713C8C06B08A204042B3BF92F6E31724E965E81
                                                                                                            SHA-256:8BFC445B29843719FB37F265F727D4E9E6F6C0814F054A6330C096022CA7995A
                                                                                                            SHA-512:87968296D3A160EEA1C3CE012300DF21CC59ED57ADE023B76E9238AE37F491B3F585663CBC4ED86A99EA1E3C4E392672E0CEA803A2641C9F05651E62240FF358
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W...NIDAT8.c`...........(5D.....\......S.8....1D..#...QjP...A.....E^C3P....z.......g...7.....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-42BGF.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):194
                                                                                                            Entropy (8bit):6.427379953657502
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:yionv//thPljll8llsAX81qfqjovwzflWfXb0oWhAm2KWmLk8vJvP+u3tKDhqcl1:6v/lhPW/sAXkDokflFoWhAmtW6k8ZUbp
                                                                                                            MD5:830FC62D759022DDBC665F1D8D2E9164
                                                                                                            SHA1:84FBC1F8F3770905AB365D465C956756FD62E15A
                                                                                                            SHA-256:0D0ED367EC6578DD5DB6A3637A5CFBF6DDEEB1CE12953C1DF09FEF8F8BD897AA
                                                                                                            SHA-512:B948DD792BC0379AFF1DB46A8ABFE5803005E3C5C1BC2F2ED382C4D5AF09DCCA7C8F98400B46B0C5CC1100CD492A8D1C3B90A5BE9B2C5EA2537DAA7911B3458C
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W....IDAT8...!..a......I.h..y......U...,.@3:O..E!x/.~..h..f|.u.....4.]hc.3.....@.!v...!.+PC.k\=.A.....1...0A.*H.c..{.Qb..RTA..r.(P.@......;'...!\.....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-4K8DI.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):636
                                                                                                            Entropy (8bit):7.494209461570772
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIniUpZVqDOd94j4MwzQPlA89rnKP69TRUQMGsVc7:giUpXjBMwMPlA8BZ9OFGsk
                                                                                                            MD5:FE02DBEC1FBF19F2525E9C87E3023C7C
                                                                                                            SHA1:9503756A6C1CB9C742B6852F121B6D8092C06578
                                                                                                            SHA-256:CB2D73D2E08790836F67F4CCA213206C071F2215D65CCD0099EDD2B9A912B578
                                                                                                            SHA-512:CADBCCEE87CB20DA46E1E4BD9241EE22CF7BA6DE9B8ECAD2D1F3831A8AAE5D0061663F57815BCA19F2580C824EC599891726A240292E6AB289013A6AE971E2A0
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sBIT....|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDAT(.U..k.A.....^.W.Mj*.D.P.^..._. .BJJ.h.....Kv...&B..............H.....6..1.22s..t:............4=.......#.#\]..s......./.....t..{;.....+<y|.4=Dr..(*....>..d.]7h>8.{yT...N.........m...c...NO.X....V...F.7. ....n.io.n...I.T.2..F....q+`..$.0...!...P.{U`..1...'.J..B.w..1.!...<...J..[.........j...A.<.c...A~...R.Z<...85@.KI\....1..m........\v....FU....`.T.e.#......_`.rC].s^.S.r]W... _.C.Cu...ju.....5._...P....r..^A.r\^|.$y...&..<......y.e..s\.....dc.....!O..qE.h...I..s..Z...?...4f%......IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-5QMSU.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):434
                                                                                                            Entropy (8bit):7.191504491746101
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMfbllDGOEGFo+bciyq44LnHolz:HSbHCOEUo/W4EHa
                                                                                                            MD5:7E5A76C4CF167C7549FAD937DC8B3DA3
                                                                                                            SHA1:7BDBE8BE6737C51C292AA8F51F9586DB0432AB39
                                                                                                            SHA-256:77D9DBC6CC93882EEC1BA969D14AD6C0FDEFE35302F0F930751C4B5BAED2ABFE
                                                                                                            SHA-512:30D230F3F7A62425D92B5227D482E000741C34769BB88CB0F4EDABA782D3834892D9C0A1BC4468DA667951FF489453FD2B3B426ADC38BF6BA5EA34CEEACCC077
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME........A.....2IDAT(...j.@...O..b......l..>....v..U.....X.t.L....x.{.Q.n....A.m/).jG-..)..~....2-...Ey..jQY....u=4Mcr......<.i..7.....*.....(..s..i....*.+.......!...^V.v.. .f..b1H..E.Yh.w.........7..$...5..R.....f.~.T.l+..^.<.....'&I.1..pG'...i...d2.0...DQt..Yny.".`]....%@.)?L;.u..........yK.....s~.}...?.8.Ty2y.....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-6R4IQ.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):517
                                                                                                            Entropy (8bit):7.3380534299819
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMf2H4ZZG1CXGrA0JI/88sXEZ1gBxPibGo1+bsI:HS2H4ZGCWXC/tHZ10PiaJP
                                                                                                            MD5:156D5836B29559FD2A8AFACFA2931192
                                                                                                            SHA1:D92B24898B7483591E5B088C60D05B73355AD0EC
                                                                                                            SHA-256:ECE2829963DECBC954FDBC7F831451D36F1248EBDEAAC181B68AEBEC00BE3555
                                                                                                            SHA-512:591CCEED7768A3D6C87A9DC7EE34F9B1A1463AEE30C184027C24294901179BA9C6BFF697FD7004E22F12605D45CB7BC18FFE1C9D7D798A7AB40004FF36FBC656
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....2.........IDAT(S..Ij.Q....v..a..m..(...}...!.&!'.W.=T...mW.....<t..X...$.....E..G...R..;.i>.C.z._...p8|.n...o6.w....r..r9.8..M...h4.....;q...7.M.t.Z.Z-[*..P((.Z.R.......l`.AN.%.LVR..aY.!...@...#......^i4........r...nG..^....f....gd`.~0.9hD,.S.a..>e2.8T......E..t..x.= d..".._@..$...Bq..m=....f..n#.,.t.Z..EW...o.1w1B]p .....0b....w.^'...=.`p:.tD|.d2...i..\..=9......j......<1..._...+."..V|....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-7EP0U.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):502
                                                                                                            Entropy (8bit):7.307082621377148
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMf2H5kGLptWrJMNbLtUWrPwIfYSA2go4aOq07:HS2H6G16JEbSuff8hnaOq07
                                                                                                            MD5:9BBFAFFA43A8745739977748E1680DAB
                                                                                                            SHA1:A2DE96CC6B8D6A22F2E517ED8828A0E65769C6EB
                                                                                                            SHA-256:EAD5682AA1875AC0664177D32B817A0BE555B90AABB88DD8FA914FAF42125896
                                                                                                            SHA-512:3E1E77835D3786D1FFAE02EAEFD41FEF7BD55955F08806C176A5E5A06169029F07E194D001927E5AEAD066FA41C90CA1B41E354F274C3AA1C6A78EF0E37717E1
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....2...i....vIDAT(S.RKj.Q.4..=....*.h.......].....y...E.j.O.....d.,.7..._.......`0.....p8|...}[..H......t..j...l`.6F....2G..x.D.7...^..8......d..{e%..H$.\...x..j..~....B.R..d......}d2.d.Y..u,..l.[.v;....P(.4..D..+^....<.."..*.g..Q.Z..r...4!E>..LT*....n..l4.*FQ..VI.....&..........eYOVM6...@....5...L.T*.J...p.rq..=."p2.`6.a:.....I5.s........I..\.@..F....rB.b..I....'...r..O...{7.\....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-9N40C.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):194
                                                                                                            Entropy (8bit):6.478660891705174
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:yionv//thPljll8llsAX81qfqjovwzflWfXbbt8i7ltydfIxDGKuQ11iEUvWK2K1:6v/lhPW/sAXkDokflSoAkpOKtMyldp
                                                                                                            MD5:88BC92E4CF3288BA93CAF398950874CD
                                                                                                            SHA1:F1B9F2C5EF5566C5BD983B5E1B3DFF17B06412F2
                                                                                                            SHA-256:258CD3545E4E4A9CF32F31FBD1AAF19869118F2B32CC8AB88C421D53F0A63D6D
                                                                                                            SHA-512:07DCA4BFC9581F425D7BAAB13E91668A0F1C832518DE7E98C0F872A305401B68B1D1C6DB56A81CF55A81E6587DD57168AF49D5676FF24C07A0BF6B0E04FADF8B
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W....IDAT8...!..a......I.h..y......U...,.@3:O..E!x/......Q.@..9........{..b..U.0...&HQ.5........P.W ..;......hc.3.....B.}........h..f...;l^.. *.....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-AAGGL.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 8 x 8, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):69
                                                                                                            Entropy (8bit):4.258998795700668
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:yionv//thPlv5hrl6hJbF/k3ollkup:6v/lhPZcJq4ldp
                                                                                                            MD5:A7204A9D9C26A12DD3C0B069EFD8ACAC
                                                                                                            SHA1:5E1E54C75D7D83147DD57DCCBCC5302D1798B21E
                                                                                                            SHA-256:FA56F736618C032485F27BA183FF0D5226006E2080CF20813AF1C6A7B93F4AA3
                                                                                                            SHA-512:7401056BE66AE9CDAF9EFEF6DBA0F96384964DA491F538C35C283419EE819F767D6BFC601E2FEF8445FA25A447A5550C6CD8986330329981B852940EC334F08F
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.....................IDAT..c..`.......%......IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-AOVRR.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):137
                                                                                                            Entropy (8bit):5.807754777184353
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:yionv//thPljll8ll1AqgRtKq2HYGHgsG0z4H1iBLq/bp:6v/lhPW/WqoKq24Psjz4H1ipep
                                                                                                            MD5:BDBB9972D9B7265AD10EDB04A9C2E239
                                                                                                            SHA1:DCA1CBFD90B5C644E37DBB6748227E3EB472E0C8
                                                                                                            SHA-256:866FC4117FC8B133D84C9AC96D13A37E99EBF626CEA47F0E8B059B6641FFC7C3
                                                                                                            SHA-512:BA6059567C6EF35161BD3A82D320EFB8E16435EBFF9CA851AC724A58F45726621BCF7F380DBD2A94A29B5DD919FEF294E7440B31F2B2FACC42AAA1968144020D
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W...PIDAT8.c`......._..)5...#.8..y(1.....\C..8.. .[.TCX.8........b...+@.Abr.Ip....2g..F.....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-BC4JA.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):128
                                                                                                            Entropy (8bit):5.703022629772099
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:yionv//thPljll8lli9uOgkBCvMibqMGuNGpNfodyfsiB1p:6v/lhPW/i9uOliMibqMGjAMkijp
                                                                                                            MD5:65B820457098F3E41079DB7B024D6911
                                                                                                            SHA1:2D35F7523C5F990B810FAD7E2DFB1E2E46DC94AB
                                                                                                            SHA-256:3CA8816EC6B9E88958D7D33C3532CE57223E5B3454D2AE329A54C964590034D6
                                                                                                            SHA-512:52FAD1A53340EE03016E6B63364EE937BBA8C1FCBC8F491011D707102100F9BFCBB62C5D0B9D3F40BF8CEF48E4E9566271019CBA10CD57C4ACFA05EF210DF4E8
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W...GIDAT8.c`......./...0.....X.R...8..S.....(5..#.X...EQjP.4.x(.l...........g.*Uug....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-C3EEG.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):333
                                                                                                            Entropy (8bit):6.65458733329839
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:6v/lhP6IcHMRfCCllSJPwlzkv8z8zKWHCB9mowuVIRmCtIyWDoKby2Fb/67YEFp:6v/7iIGMfbllL5zMKWHCBBIRwyW0KbzG
                                                                                                            MD5:16CE13BC8208F1C0B9422FFAFBC46C6E
                                                                                                            SHA1:FB6B11EE39E0143A056385B25761FCB0E9ED980B
                                                                                                            SHA-256:1EC3BD426CCE1B1BD23664ADCC11FE51D04DE791FADB6A731DE7EB5076B26163
                                                                                                            SHA-512:46EB74547599EED50ED554DCAD5567198D20AAEF7B8D0F2F22E1912224F381F91F5501E4985B007945FC5D4A12B85ED0E06184168F6EE614135C8AFAE13334A5
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME......'.i.h....IDAT(.c`..@VV.WNN.]FF.WJJ.OZZ...............Z...B..Alsss.SSS......,CCC..$.q``.\XX.5N.UUU......pII..N.3g.4....'N.h.S..;U.]+..hXf...j85>~....+j.O..>~..$......8s..+....?..?..{'...{./_.H.}.y..0.15c..B......IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-DO3KP.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):549
                                                                                                            Entropy (8bit):7.372873904443628
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMf2H0ZF0NS5rNgZK5S80iwpLboX30XuQBMBVEB5Hk:HS2H/NS17A8v1X3wuxYY
                                                                                                            MD5:FA26AC420BEA517A2C4247572E33842E
                                                                                                            SHA1:06DE61402AAA1A2ADC2EF2969E76B7200A9D13AA
                                                                                                            SHA-256:8D8451A732FA6662F6FCE32CCF6751E421C6FFC7C5B819C29AB1482967B05FFA
                                                                                                            SHA-512:8850CFCD06A82FA41D4B30F88DE5485857B2BD1B548CEC4A7F38B78E3427AEDA01B44762161D8352501F6AE0EBBAEE82AF71F52296CCB93399B4C01C6864D382
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0.[.......IDAT(.mR.j.@........(.".."~C.n...Q.!...n.u.O.).+A.*..&>{..)..\2s.{....z...m..W.T.r.<0.....po.. 0X..Az..3....J....L.S..f.r..P....."I.T..hx.fS...../.lV.(..z-.~_..qx>..HV....b..J%Z...@.........e.X.A.%....LFN..&1.&..X.......l.,.T..@....m]`...j...b.s ...c.Z+.N.$..R.@.i..s.H.-....).0W`....I..D.x/xF7.(>.~..LuCf.L$..a...`.}...q....=5.! ..r.........I...6..8.]rnF...j...j5..-...|>....$@.nG.9. .":..!...x<....._.....`7....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-EA7P2.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):641
                                                                                                            Entropy (8bit):7.486329990930914
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMf2HcHsH4mHgE42VgbsrP2eByHKk8a4JLk++8/1:HS2H8mJJfIsrueEq9z+c1
                                                                                                            MD5:752E6CDC2C92BF4D22712F33A380CB93
                                                                                                            SHA1:07AC399AD6C9F72E97A1304E1324AD20EB42F633
                                                                                                            SHA-256:3294FEF8285A13B09967D3F631F8CE52C2AACC9A07604CD51B70811BED2ED40E
                                                                                                            SHA-512:9DC2C06873DE889B4E26AA9890B93E6FD37D04C73801865861FA46B95C2011BFEEC94B24F37BBD376C43E993FEE58D1C4A221AF09346CE70AF86BF379BD6CCA2
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....1*........IDAT(Se..k.A...|.n...n..T.%&X.....7.d_.".KA..T.J..Z.....w6D..e.e...=s......S.x..G=.....8"S.%/..|.....8=y1....:2...;.B.(K.I.W.kE../>....Z.r?.7<.~....t...BJ.i../.J...tz......7..!.J,.#..v.....9.Y....YQ....?|t............$V.@....zp...;!TU.M.......A..N.....[..V...&....9..xm..d2F.m..`.N......&.A.DU.....y.4....4....`8...\.|...y...q.]^~......@qXor....Ik..3.@+..V~d...........?7k...`.C.P.ZT.....QF-E.{..+5!... .6..(.i..`m....._~..e.n5.`0..z...Qr..IF.E..9Y.....r~ [.@8...k2*...$....n...orX'#..&........X....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-ECLHU.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1555
                                                                                                            Entropy (8bit):7.796645823149652
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:oqhLS0rCCBSazjoXK2RM1EpIuNF0piVLDlZLfciK3ZCHBJW:VjrBBSFXKP1ECuNF0piVLDlBfcOM
                                                                                                            MD5:486390A2CE5B4CC1393AC254780A7C7C
                                                                                                            SHA1:4305181EC1910A666A47C3715D27F5CA6991D688
                                                                                                            SHA-256:AB3BDFDFEED5743FD4AF47B0BA6AAAD914661DCE381A6FF8C8C8994363F83909
                                                                                                            SHA-512:F3F6051BA679C6F329A18E97F12CB6FFD9ED18D0F054C79ED9F2FB5D23F0484A12DB0FD16CD47F52B67E3D617F9BE728F9BECC850CF6A61FE9B74ED9701C2DD1
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME......._......IDATX.WIO#G...+;.Ab.@B$...&...Q.?B2Q...[...8!qEB......bK.....-!..n.....Twlfh.T.v....Wv...eY....Fjiii.R.|..T*.:..a.^.@.U..Z.......~yyy{vv....F.."..NOO....z...S...+....:;;. ...n</....^.xx(_^^.'''.;...mmm..eU...^....011....L.......-...y..Vx...}...A.X,...>..............G....|?99.077.=00.......L&..h._..e..*..U(X....w......w...?.;;;_.........`_www[___..@.Q.H.O..........$,..r.J.P.nnnV..{....{j.....B@..c....!....u....C"P4M.b...V`./<,|.....t...J6...^...H.3..-m.}..5..)..A.0.-Z...!.......V....".:....Y#..z$^H.......eZBa.[..cXd....P:f.P>.&...<....-..v.2..J..DV-.5..i.Z....F....u E.%9...(p....Bpu...Gp...P.]..j.....U..i.!b...*..I.NF(.5.."-.n..L.V.1I.L.D>-..2..Ih..}.J*.`;.......u..*..0..=CC+.P.B.i.@...+..............:1....N%.M<e.....XAUF.W.Sb.M.f.=G...*.be..j.'/...$#.H..0...^......=..u.1s7.B......L....RO.L.Y....T....].Lk..SS..I(..4.Lwf.3N...=...sF#..o9.MK."`...

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-GFVDS.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):137
                                                                                                            Entropy (8bit):5.815385299502723
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:yionv//thPljll8ll1Aqg/ml90lvGdw1CwHTQ5NsEZxKG2mpFbp:6v/lhPW/WqgmnBdw1CFNsgdLbp
                                                                                                            MD5:CE4C02BA4708A1AAB1572A9148A94B95
                                                                                                            SHA1:E90673F72B063A610E7383EB7DAFEC7F0BD35549
                                                                                                            SHA-256:6E1332235BB51B2E29B244E5056A6C82015A5FEE79DB2D3A553CD6610DC3BB04
                                                                                                            SHA-512:902C214744235E7CA936D2B16215B63500BA980C00ADFD3773D2EFA65E12FD3EB34DA4F430024BEF2F781F762E4A938778C6AD71AF6D86A9CF02EF53C41E1233
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W...PIDAT8.c`......._..........H1.....8....XIu.... ..b+..E.$..(.+. ...( .4.e@x4..G..6.g...t....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-GREV7.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1497
                                                                                                            Entropy (8bit):7.768741056434717
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:oqyoicsCo1Rd3ASFaaFX4FumgLpc8ut4qzrtpei0AF3BkNmhqCTEOU:eznTR3YaFXSiut4qzrtbeNmhTE7
                                                                                                            MD5:F860FF3693F12371577E33808AEA17E7
                                                                                                            SHA1:10EA223E855685506460EA8C3FC9427350CAA1E2
                                                                                                            SHA-256:B8714DCC43D031A602E3C560EBB1A07C1A892AB84E34F06EDEB03B59FEB09BD6
                                                                                                            SHA-512:6A6307796F6C6D5FEC3A0B4168DCAD5E6B15008D5CC247B562ECE25E25B87AC40ECB372038E351674FC75AB391CA23E47B8DF1966D2849DC3DD0ADFFB7CEFA62
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME......3...g...YIDATX.W.N#G.....`.......6........O&.b..@......`....J..)... ...0..Q9..n..1.LK.vwW.s...q. .x.........~.+..V...C..G.....4M.,.B.^.......w...1.}.33X....z....[,Jfgg........Z.R..'..y18@I.G....www...u...6ZYY.....w,KH.....nnn.....[\\lLLL.7..z.........$.,.3~||.......uOOO....{.........................1..XkC...}...D..M`.n..i...6dvNNN.9::........j..[.sssMX.I.........~B...`.(.....n...^]]].......hdd.k...o...rp~Lp.....%..*G.$.k4..\...6..:..._X...Yz.J0..`ll..).R..(...s... C.....J...0+x6m.A.J...X90L..~.i.H.(..?....`....|...}.......*d.>...v G.9....AR.W...H.$......H.i..?.)..<..)..Ps..<.x.....Lc........E}.,.30.5.p.........$.Et....\E...!.Fd...e......5.Q..s.I.B&.}..#.@..j.E..d..... `h=QL[..2..+..M.C.....k.s.i.I.3..+r.Z]..G|$..U..!..........{..J...T....K..e..1.e..[EY+.(T.T.<!.Y.I.....O.x.\L..^c..FHH.S........F4.f.{....S.....*eS. ..4....(...eQ.|9.....!.R4.X.+.<..!..

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-J4URO.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):556
                                                                                                            Entropy (8bit):7.316549998180671
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMf2H9fw3E/3lkWcxh66ScOaqgx531nDqLwzIdjzRvL77:HS2H9YU/eWIfScvbnDzzchvLH
                                                                                                            MD5:E4118A159AC2AAB1876E440CF770CA3D
                                                                                                            SHA1:27A28242395D33530A955D2D6FE479A9D45DB0CC
                                                                                                            SHA-256:08268FF255BFD01B6AA0184ECD06B5A0C48D016BC429D3B155B7149A8CD10FDF
                                                                                                            SHA-512:611EAC1EB04097730CD7B8D9C52FF7DA5D2F741E8C4A54F291C0137B75DD326F42CF35AEDBDB17D153BA20845904BE9F1F3753069B36D3050E907FA5C3D3461A
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0;..]....IDAT(SmR-o.A....;.8.5.....T..V`+....6.....L-..... ...Q........L2...y3ogF;..BI.Rq5M{.u.t8...3......{..j3..) @O.|$...b..q..z.......F3$x....$.4..l6...[.B..<...R4..E....k.r.E.^.X.K..b...|...J0..F.g..y&.TM&.n>.......).@[Uv.Gx...z...G)..X.hT.-,...XL...V....\.g.W....).. ."..<..Z.N.j.d..a...D..8).L.`...b.F{0.<b..A0.DUB.J:..I.mr.....t-f..V+.d...|.....n~....g.....~NW.'...t:c.....R)....(.d..v.`...V...e.f.!........)...[..-./..._x=t<....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-JARJU.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):193
                                                                                                            Entropy (8bit):6.5470203907323725
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:6v/lhPW/bkgGNdjs2jOTS3Bs077TxUVxhlup:6v/7uzkgG7Y2yU14lc
                                                                                                            MD5:8FB0652E37E5375EFBFFC85E000333EC
                                                                                                            SHA1:98DF46702AB67C5CFF30922BE409209CEA30A6B5
                                                                                                            SHA-256:90939B8E3B4A568724143D056A93CD7B5528D4841A9D11EA0A4B11C2A35A4E03
                                                                                                            SHA-512:EF67A9624AA003A77724CB90F456A84181746E585003B31AE714A2870FFB3B2F069382CD7DA464FDE6BA68C37A94AE42CCB58B80E0608D41EEF30A81260D5545
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W....IDAT8...1..Q...Aa....R......h..~,...:..)..S.7.f...r.I...Rd...a...X..g<p...tBE3\.....&.rU^.WW..!FTF{.5....8b.>.1.o.,.O..........i......IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-KUO4U.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):437
                                                                                                            Entropy (8bit):7.172409807946269
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMfbllRNTwF4Aca6vxsbrVnsgP7F9J6Jz17:HSbHRhwF4A56vuZ/Z6t17
                                                                                                            MD5:E51360FDC759C15DEF4ED591275F6E37
                                                                                                            SHA1:723E725BAB93316AA5CBEEAF65A782777DD28983
                                                                                                            SHA-256:559FD805D661B05A7B67119EF93067D6BF076D5A92470F343332D80EB6C67168
                                                                                                            SHA-512:8BE34022F9188993A642A10A31D3AA05865254C69134726F5C1891E6537AF94A6E625D63A6E8D3C058A10E49A60D03C407AD8D6D70F09452D91957680D99E115
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME........Oj....5IDAT(..IN.@........7n.....\.3@....0&2...._./..J.Tu..5.8.fQ...;......|....*...[.$..>.#..z_A.,....|;.i.^.2^...5...R..U..y.,.8<...<.-;cJ)..E.(.0.....Z.s]..B....:..1.;dud...P..D.G.J..4Ml/.l..!.3.H....q.I..H..a.....I.uK`..^ ...s...2gL..\..(h@!.....R(S...8....a...K.kAf..."V.h0...N?v..}.~..c...t$!&.lo?..z...qm....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-LLF9Q.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):208
                                                                                                            Entropy (8bit):6.056729441397141
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:6v/lhPW/f19VINtlMv+YftbtCETdkth4EN0QIVp:6v/7uTVI6T6T4ENRI7
                                                                                                            MD5:3DBA17AB50E1923EB74BF395677EFA06
                                                                                                            SHA1:F293297F4127A788E07D365FD4AB5EB19C7383C4
                                                                                                            SHA-256:33BF303743432947AF7E5E4FCFE7A7FF453FCFBFA6ABDC24671071B7C205DA84
                                                                                                            SHA-512:618BFD415108DDB51B7A1D1003D5E40A417BA36F612EF6FBB5F627AE7FDA2388AC2F08F8BFBE5CF6F172DF26737773C902A85FD98DEFB0CD7DE94B3CFF77FAD6
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W....bKGD..............pHYs...........~.....tIME.....,"E......]IDAT8.c...?.50.AT5....(1......../%. 9.._.!`19........,....5..a) ^..?)5....@|...F.<.F.h^..A..p..:.j=....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-LPE6R.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1442
                                                                                                            Entropy (8bit):7.754161124979248
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:oq2vym+9kVWUOASjz39hd/9uinkxIyJubx/98nDDJFPyvfCDFHTCyFm+3wTf8f4C:aqmzV9az39z9hnkx+2DfyyD9TFAAwTfI
                                                                                                            MD5:46934D3CAA685BB0DBECF20BAB8BC317
                                                                                                            SHA1:DD61BF668D265AB3FBB61C6CB6CF25778632154F
                                                                                                            SHA-256:AC57AEA1D66661974EA2922733661B27D26D3C2026321E77A2A9ACE1CDAD558C
                                                                                                            SHA-512:BCB6D969F8823196652B4093988719C9F51940890D212A0E743CC887C46BE3DAD00D95B47970F1E682F3A40E7F7216EBFD4B37626AE130FE57F7F3CEBA718AE4
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME.......E......"IDATX.W.J,W....jm.A#>AA$......$....q.....!B.Cp..;1...p((...G=.Vyve...+...>g._....q.:..[__/.--}.....w..X.s.....y...N.EN..9.<koo.smmmknn...!V.b...OOO.8==....'........;;;}...}z..+.....vrr.8<<.........._....755.............r___G[[[+....%...z...\..T*..........Ay|||.........O...w......._utt..D{.T*.......1H..;.Z-......u......?........../....J.......m....F.=D+Rk.....PP.\..Ix....Z?;;.666...}.xW.{Z\...j....c...X1..zm.>..y.!...S.u.....o=l..n..._.f....R..P.."....~..8......l..`.;..B\........>.A...7..Q.F..4..=./.B.......eY..$.<..r....A..$.$.<.`)...........C...V...8.......^.....D&........r..Y9.K.....8..C.....%.UV;*....^. .d.....v. ......M...X..M..zR...H...'..'._dS..P.?..2S.MT......4$.....k...=.eL.^z.....X.e+.......$..sG..qm.vB.........&..I..+W....Q. ,.M.+.-Q..$<!.t....wi.rA..(v.kW..&.p.-.(..u+.j.5.y.....2N.....0....kW....5.y).J1. xDW...x..0.d.p.\S.d......l

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-M0LDC.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):139
                                                                                                            Entropy (8bit):5.9354638900987355
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:yionv//thPljll8ll3MOgkBQTBlH/DVgPMWwnPUmLdeAkhBsF6c4V1B/0wXjp:6v/lhPW/cOlcBZKkWoLdePhq2BcwTp
                                                                                                            MD5:5EACCA1FC3A11F7E844B3809D9CAA537
                                                                                                            SHA1:86AF79F715B3921E507068558EEDC94EAAC677C6
                                                                                                            SHA-256:57A9751B8A85FD13C3F0C9EEAEB3B905D7B8802779EFE407E13444468A15C396
                                                                                                            SHA-512:997D5D631FF90CAD01D1613A347BF2C1F9D0723AF29A5CA52494BBEF97F4FA50040B171FD371F8A8FD31DDA2933EF0752ABC3056625A9DB747BC5E24EB6F7CD2
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W...RIDAT8.c`...........0h)._..` f....!...P9J....@.F.....;%....@,EI`..b.J....<..a.....z...l....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-MN5K9.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:GIMP XCF image data, version 0, 32 x 32, RGB Color
                                                                                                            Category:dropped
                                                                                                            Size (bytes):3977
                                                                                                            Entropy (8bit):5.413488066014333
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:7dsNCv/C/CVGhkFTKfyeeocjI4Dc8oPjZ/narUX0Zwnc1ZHHdOkdsFVpAa:KcQ2Gyejc0QoPjZ/KKgwniLsFVpAa
                                                                                                            MD5:1339E8669A986ACB3CCA794EF7E67ABB
                                                                                                            SHA1:8295D74B144481F86B928D0C9A2F16AE0FF86F7C
                                                                                                            SHA-256:4D58C67A4095BE33201E16C2545B28DEF1CBA2D7690F0540877866CFC7ACE230
                                                                                                            SHA-512:DF9AA421947EF90713D0F9D2648803DDC975DB7FDB67F2941A9CA7FD489C9734081FE085C4ED4335C798A05CE2028D84C22A4948C558FDCBE86593CFEBB6A796
                                                                                                            Malicious:false
                                                                                                            Preview:gimp xcf file.... ... .....................B...B..............?........................gimp-image-grid.........(style solid).(fgcolor (color-rgba 0.000000 0.000000 0.000000 1.000000)).(bgcolor (color-rgba 1.000000 1.000000 1.000000 1.000000)).(xspacing 10.000000).(yspacing 10.000000).(spacing-unit inches).(xoffset 0.000000).(yoffset 0.000000).(offset-unit inches).................................5........... ... ........New Layer............l...............................................................................................................+...........=....... ... .......Q....... ... ...a....E...............................#.E...............................#.E...............................#.E.............Vq.q.W......?......?......8......8..............#.... ... ........New Layer#4............................................................................................................................'................... ... ............... ... .........................."..

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-NIQH1.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):206
                                                                                                            Entropy (8bit):6.093633689706192
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:6v/lhPW/f19VNtTlMGBSCghX2AGBIcDV6fr66Vp:6v/7uTVPTChXCBN8fJ7
                                                                                                            MD5:2DE4E41A0E31A4C0FBB2D7FC3CBC31CE
                                                                                                            SHA1:0704F540352C579647D28E5E7821D7CA7FCC6613
                                                                                                            SHA-256:FBEC4D0BC6ED3DFDADADFFD10EB9F04058DFC11E7248DD73814E7806E58795FA
                                                                                                            SHA-512:FE60C53AADB80B6B922E17B822710A6820046C07D2742694BDF3019DD025EB8ABF4366849BE789E122B7053D5B7798D1CEAA9A296C3D007C557D95CDFFEC0115
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W....bKGD..............pHYs...........~.....tIME...../..v[....[IDAT8.c...?.50.A.o.../...hx)T.h.x....Lp..yI..?..D2......F.@....P1..[.....C ..4...m4A.G..F...=.G....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-P06BD.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):551
                                                                                                            Entropy (8bit):7.319024742694981
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMf2HRd4HSOKRcIzpsbPjUdb4pndLBaXeeFUDqtCmN09:HS2HRd4HSBR5KbPognzadIb
                                                                                                            MD5:731657BF68ECC98F0DBE29095CCB88F7
                                                                                                            SHA1:D3B49C3AD148EC96F3088371715121D32EAA7843
                                                                                                            SHA-256:F95DA774191F393BA0EB0436B4CB22920C5F880ED51010177E6E9189CD36C44A
                                                                                                            SHA-512:DE50FC25578922C8BE31D869B70FC0559C965022D6BCCF71DE6CDD541B424DB67E1AE1032AEBAAE03DF66744A27344194AA7994C9CE84317D1AFD1B437D9AA9E
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....04.k......IDAT(..R.j.Q..}..z.%..h.N..OHa../H.......E>!HPl...F\.+n|f..1.*......9.v.\H.Z.&4M{.u.~>.....w>w....v...)"......"...a....@....n.kN.`.kH.)...K..kY..N.0..#1...=..s...A..0M.\..p%.R...B.b..f3..........."......q.J&...).N.b....5A......@.&.c.!.d...\.Z.Vu..V....."H.xO$...e.HX,....WL.`....F....."...m[bu..c.B.u.u..PB..4...U..._.]..*....KY...l<..a .v..>.s.4.....f#..}0..d2.8A#......*wUU...}.N.?.p=rlJ+.J.n..J#.......7\.R.-.c%....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-T3LPI.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):559
                                                                                                            Entropy (8bit):7.393060209024772
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMf2H1ClNHN+5CWPctjcNirsMD0YrO5kOBMlz:HS2HkHeCmPGxbibO9
                                                                                                            MD5:C720EFDABF3F8B47BD07FCFE80AF5608
                                                                                                            SHA1:A63400832DC55C911113C0176DA2EE6DF04F5D4F
                                                                                                            SHA-256:C81909BB15E1417A075DB27E1FA348C9371F68BF55B434FC70FB28FD5AED37AD
                                                                                                            SHA-512:1EF5ADCDE29FC4316DB7292D53741C3330BF17203B24EFDB6D1112413763FE37822BBDD9008B0C0E7A2210FA519D56922CB574C23043A12954FEF9ECDCBF382D
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0..a......IDAT(.U..j.A.....#.B.B...H!.Jc..". !u.@.&.E .`X.Pl....].s....\f...=g..\.b.z..,.j:.S;.N.<.>.....N..4....=...f.*..{.BA<..t*..$..f.........r]..Z..*....iI&....H............J...@A.X,>@I.....q..b..T.Vu...._,./.v....3...}_'...Q]...H;a....T*.c..n.m1...g..J..#J)..\\>....#.C..D.3...d\.^^....q%hlse.....~..L.f.L.LaZ..g.Jw...n....y.......>....M1.I4.. ...@...A.1... . |.lV..[C.A.n.P.U*.T.\.r.... ..8..FK...#w;..y.r...]...............IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-V0ESL.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1128
                                                                                                            Entropy (8bit):7.702657785044095
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:CiUpjur3mHiYuZssTwiTn7JgcOc/irhx1F613aC8BLZ2cL/Fsc:CNpj23hnNTwiTPzU6t+JI4FN
                                                                                                            MD5:3F6A543B6C75ACB2EE000A3BAC7B9A59
                                                                                                            SHA1:A53275A9B4F65393301A1C787B67E87FFDA8234F
                                                                                                            SHA-256:3FACB849498CFA7CCF96BF7B02C5792C0DC49374EA7DDDC8F78E7ED53A96C72B
                                                                                                            SHA-512:E9E98AFF394E4ADAEA3C79096BD8DC865EF539D67F9E3030FEB7F4FACAACC1278606592228A19733AF99128966530CEC1363E9C6DAB6C555DFC0D8C7ADB51517
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR... ... .....szz.....sBIT....|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDATX..=SSA...........G.+F....._daaaa..a.....JG+.... 7$ww=g.ws..A/n.~.>.y..+}......=%.Tn..m.....Bt.....N..'.....Z.'...........;....[.d.....~.....9.LI.?>W.........It.W..m...N...x&8>.....}....0....JoU,<X$G..m..YV......w..L...:n..FJ..!......."|.......C)........)p...)F....[.Y..{..jZ@.j.s5xv.W.|L&./.^.u..y....h..4.9b..}$..q.....".....{..p..9;.s..Ul.............^......p...d+.....u......tZ...B......d..Z.....q.....'H.}...g.jl....~a.ng...m.....mw.fp..0....,MI..v.W..7........l8.s.K..*.2....qB..|:.\[...Nje...!..L.^q.Z.hU..f..35s..hK.......R.. $.-..:.......7.p6N.i.+.....u..!RE8..L&...U+...s.x.O.s.H.U.R.E..>z.".......".DB.....9F.......h...W.<.....KH.DO.}.q.!.*....<8.c.J...A.|.S..}.d..ZL......vh....<.#.......W.i..+...m....p...8..Q......A....7..f.sk=.....!.%........tY...S.+...t.Y....1.97P!..a....a.%.m9[~I..K.?..tB.v.L&.[-.h...D...J'......Q'4...59.......I.s..

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-VT9UC.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):195
                                                                                                            Entropy (8bit):6.589496150082679
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:6v/lhPW/YkNWoInpCU14phhk1NWMUGHgyU/Hljp:6v/7uSoIpCUKhhDMUrymlN
                                                                                                            MD5:3043F969482A1E805E6DCA44A6072881
                                                                                                            SHA1:B5764E5B1B26D11737D9307A70E14403E7063A4A
                                                                                                            SHA-256:10A3799ABAABF93F03FD86A23FAFC6C68EB04B5BFB86497F04505DF151E1177E
                                                                                                            SHA-512:3BEAAFABEEF07E3BB7E95DC6C761157C38B9B2B2BDB99C517C073AA137950BFE010C0BDFCC29E955B6A46D6BEED4AB4D8D8D1EF580DD23E8A6B0F471E1FEB4D3
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.............V.W....IDAT8...?..A...E....F'.j....DG.U$......N.|.....r..k.d.,..$4P.)R..}.F/.h..)...Q..c.%.x.t.8.jc....).......,p.3.i.k...v.F...X....^...Y.........q.....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\null.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 8 x 8, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):69
                                                                                                            Entropy (8bit):4.258998795700668
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:yionv//thPlv5hrl6hJbF/k3ollkup:6v/lhPZcJq4ldp
                                                                                                            MD5:A7204A9D9C26A12DD3C0B069EFD8ACAC
                                                                                                            SHA1:5E1E54C75D7D83147DD57DCCBCC5302D1798B21E
                                                                                                            SHA-256:FA56F736618C032485F27BA183FF0D5226006E2080CF20813AF1C6A7B93F4AA3
                                                                                                            SHA-512:7401056BE66AE9CDAF9EFEF6DBA0F96384964DA491F538C35C283419EE819F767D6BFC601E2FEF8445FA25A447A5550C6CD8986330329981B852940EC334F08F
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR.....................IDAT..c..`.......%......IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\pbtroughh.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):333
                                                                                                            Entropy (8bit):6.65458733329839
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:6v/lhP6IcHMRfCCllSJPwlzkv8z8zKWHCB9mowuVIRmCtIyWDoKby2Fb/67YEFp:6v/7iIGMfbllL5zMKWHCBBIRwyW0KbzG
                                                                                                            MD5:16CE13BC8208F1C0B9422FFAFBC46C6E
                                                                                                            SHA1:FB6B11EE39E0143A056385B25761FCB0E9ED980B
                                                                                                            SHA-256:1EC3BD426CCE1B1BD23664ADCC11FE51D04DE791FADB6A731DE7EB5076B26163
                                                                                                            SHA-512:46EB74547599EED50ED554DCAD5567198D20AAEF7B8D0F2F22E1912224F381F91F5501E4985B007945FC5D4A12B85ED0E06184168F6EE614135C8AFAE13334A5
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME......'.i.h....IDAT(.c`..@VV.WNN.]FF.WJJ.OZZ...............Z...B..Alsss.SSS......,CCC..$.q``.\XX.5N.UUU......pII..N.3g.4....'N.h.S..;U.]+..hXf...j85>~....+j.O..>~..$......8s..+....?..?..{'...{./_.H.}.y..0.15c..B......IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\pbtroughv.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):324
                                                                                                            Entropy (8bit):6.776590990847706
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:6v/lhP6IcHMRfCCllSP7k0Rt64huUPOfsIuDRWi9I1z2He4hsCvJgVm/kup:6v/7iIGMfbll8g0RciuU2fy9I1zg3lJP
                                                                                                            MD5:389BCEA15865028B56A0A70C87E13DCA
                                                                                                            SHA1:B771E6A3E73B2B3E4B440B2E59D98E9D7F3B60C7
                                                                                                            SHA-256:5CAA4636ADE7C9B36E257D1AB01D06FDA59310781F4C1E5B527342D5DD8B8DE3
                                                                                                            SHA-512:BDD82387E62B1726B402B1BE8B87CD2BF02C794A77525E4780A96DAE71E6CBF5F17261706A161A7AE1FDB8F15542DD2A3046ABE0A3328B5139C99F9F9CDDDFA3
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME......*........IDAT(.....0....Uh..C#`....&._...p%..qs.....H...K:....E.S...u....TU.+.R5M..B.m..y.._... ..Zk9M.`.}*.>..C..8.:..I...8.....a.v.......h.b..A....n.T...C...c.%...G..i.2J.+.J)GB...wY......:...,.D.Y?..F..Z.....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\rangeslider-ins.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):593
                                                                                                            Entropy (8bit):7.479894563773081
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIniUpZzmH9D1hP79P2J2ySk9BvSpqKu6kZPdiaXVygV271:giUpMDrD8J2ySMKIZoaX0gV271
                                                                                                            MD5:FFCCEC64441F01C7AA82069BB8D5E9D9
                                                                                                            SHA1:45C02522F48129065104E1C9B4E6AC63434CC7D9
                                                                                                            SHA-256:B8CEB44936275B37F8D08F71F01F223866CEE50E53182D529A3768514A8C7662
                                                                                                            SHA-512:E8709643F6C4CBAA98F7BF870028664324DE673141F1B9FCE995A03D011C4374817846DCED739B4A3DD37D315A474F739ACAD2933ACA63C67FA0216356B8E608
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sBIT....|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDAT(S...n.@.....I#;.X.j...U,.@..x..Bx.D.....W..X.b...Fqq.Z.RED8...3.s..l.H..9s...9:D)..1^..m.........R.@...>.T...97..=..z[......i7Q...<...F...di.......R....]...F...u.......W?41&v.6.O^.%ko.\".qH...)....$..z.NJe{o....."..N....NgXDK.q...y...d.@.q].20.9..(...A.a|~.J..F..$..2pn....$....N.4.2AR.R......`"3..R_....[v.h.n.!...5Gq..QA.Y,.....\..Z....{.h.............mU-..T.Ga..0.{....w..$K..?oN....4KW......'^py.fd..L.)L.z.O(..D..)H...............<....o....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\rangeslider-pre.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):502
                                                                                                            Entropy (8bit):7.307082621377148
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMf2H5kGLptWrJMNbLtUWrPwIfYSA2go4aOq07:HS2H6G16JEbSuff8hnaOq07
                                                                                                            MD5:9BBFAFFA43A8745739977748E1680DAB
                                                                                                            SHA1:A2DE96CC6B8D6A22F2E517ED8828A0E65769C6EB
                                                                                                            SHA-256:EAD5682AA1875AC0664177D32B817A0BE555B90AABB88DD8FA914FAF42125896
                                                                                                            SHA-512:3E1E77835D3786D1FFAE02EAEFD41FEF7BD55955F08806C176A5E5A06169029F07E194D001927E5AEAD066FA41C90CA1B41E354F274C3AA1C6A78EF0E37717E1
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....2...i....vIDAT(S.RKj.Q.4..=....*.h.......].....y...E.j.O.....d.,.7..._.......`0.....p8|...}[..H......t..j...l`.6F....2G..x.D.7...^..8......d..{e%..H$.\...x..j..~....B.R..d......}d2.d.Y..u,..l.[.v;....P(.4..D..+^....<.."..*.g..Q.Z..r...4!E>..LT*....n..l4.*FQ..VI.....&..........eYOVM6...@....5...L.T*.J...p.rq..=."p2.`6.a:.....I5.s........I..\.@..F....rB.b..I....'...r..O...{7.\....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\rangeslider.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):517
                                                                                                            Entropy (8bit):7.3380534299819
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMf2H4ZZG1CXGrA0JI/88sXEZ1gBxPibGo1+bsI:HS2H4ZGCWXC/tHZ10PiaJP
                                                                                                            MD5:156D5836B29559FD2A8AFACFA2931192
                                                                                                            SHA1:D92B24898B7483591E5B088C60D05B73355AD0EC
                                                                                                            SHA-256:ECE2829963DECBC954FDBC7F831451D36F1248EBDEAAC181B68AEBEC00BE3555
                                                                                                            SHA-512:591CCEED7768A3D6C87A9DC7EE34F9B1A1463AEE30C184027C24294901179BA9C6BFF697FD7004E22F12605D45CB7BC18FFE1C9D7D798A7AB40004FF36FBC656
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....2.........IDAT(S..Ij.Q....v..a..m..(...}...!.&!'.W.=T...mW.....<t..X...$.....E..G...R..;.i>.C.z._...p8|.n...o6.w....r..r9.8..M...h4.....;q...7.M.t.Z.Z-[*..P((.Z.R.......l`.AN.%.LVR..aY.!...@...#......^i4........r...nG..^....f....gd`.~0.9hD,.S.a..>e2.8T......E..t..x.= d..".._@..$...Bq..m=....f..n#.,.t.Z..EW...o.1w1B]p .....0b....w.^'...=.`p:.tD|.d2...i..\..=9......j......<1..._...+."..V|....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-h-ins.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):636
                                                                                                            Entropy (8bit):7.494209461570772
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIniUpZVqDOd94j4MwzQPlA89rnKP69TRUQMGsVc7:giUpXjBMwMPlA8BZ9OFGsk
                                                                                                            MD5:FE02DBEC1FBF19F2525E9C87E3023C7C
                                                                                                            SHA1:9503756A6C1CB9C742B6852F121B6D8092C06578
                                                                                                            SHA-256:CB2D73D2E08790836F67F4CCA213206C071F2215D65CCD0099EDD2B9A912B578
                                                                                                            SHA-512:CADBCCEE87CB20DA46E1E4BD9241EE22CF7BA6DE9B8ECAD2D1F3831A8AAE5D0061663F57815BCA19F2580C824EC599891726A240292E6AB289013A6AE971E2A0
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sBIT....|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDAT(.U..k.A.....^.W.Mj*.D.P.^..._. .BJJ.h.....Kv...&B..............H.....6..1.22s..t:............4=.......#.#\]..s......./.....t..{;.....+<y|.4=Dr..(*....>..d.]7h>8.{yT...N.........m...c...NO.X....V...F.7. ....n.io.n...I.T.2..F....q+`..$.0...!...P.{U`..1...'.J..B.w..1.!...<...J..[.........j...A.<.c...A~...R.Z<...85@.KI\....1..m........\v....FU....`.T.e.#......_`.rC].s^.S.r]W... _.C.Cu...ju.....5._...P....r..^A.r\^|.$y...&..<......y.e..s\.....dc.....!O..qE.h...I..s..Z...?...4f%......IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-h-pre.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):559
                                                                                                            Entropy (8bit):7.393060209024772
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMf2H1ClNHN+5CWPctjcNirsMD0YrO5kOBMlz:HS2HkHeCmPGxbibO9
                                                                                                            MD5:C720EFDABF3F8B47BD07FCFE80AF5608
                                                                                                            SHA1:A63400832DC55C911113C0176DA2EE6DF04F5D4F
                                                                                                            SHA-256:C81909BB15E1417A075DB27E1FA348C9371F68BF55B434FC70FB28FD5AED37AD
                                                                                                            SHA-512:1EF5ADCDE29FC4316DB7292D53741C3330BF17203B24EFDB6D1112413763FE37822BBDD9008B0C0E7A2210FA519D56922CB574C23043A12954FEF9ECDCBF382D
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0..a......IDAT(.U..j.A.....#.B.B...H!.Jc..". !u.@.&.E .`X.Pl....].s....\f...=g..\.b.z..,.j:.S;.N.<.>.....N..4....=...f.*..{.BA<..t*..$..f.........r]..Z..*....iI&....H............J...@A.X,>@I.....q..b..T.Vu...._,./.v....3...}_'...Q]...H;a....T*.c..n.m1...g..J..#J)..\\>....#.C..D.3...d\.^^....q%hlse.....~..L.f.L.LaZ..g.Jw...n....y.......>....M1.I4.. ...@...A.1... . |.lV..[C.A.n.P.U*.T.\.r.... ..8..FK...#w;..y.r...]...............IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-h.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):549
                                                                                                            Entropy (8bit):7.372873904443628
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMf2H0ZF0NS5rNgZK5S80iwpLboX30XuQBMBVEB5Hk:HS2H/NS17A8v1X3wuxYY
                                                                                                            MD5:FA26AC420BEA517A2C4247572E33842E
                                                                                                            SHA1:06DE61402AAA1A2ADC2EF2969E76B7200A9D13AA
                                                                                                            SHA-256:8D8451A732FA6662F6FCE32CCF6751E421C6FFC7C5B819C29AB1482967B05FFA
                                                                                                            SHA-512:8850CFCD06A82FA41D4B30F88DE5485857B2BD1B548CEC4A7F38B78E3427AEDA01B44762161D8352501F6AE0EBBAEE82AF71F52296CCB93399B4C01C6864D382
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0.[.......IDAT(.mR.j.@........(.".."~C.n...Q.!...n.u.O.).+A.*..&>{..)..\2s.{....z...m..W.T.r.<0.....po.. 0X..Az..3....J....L.S..f.r..P....."I.T..hx.fS...../.lV.(..z-.~_..qx>..HV....b..J%Z...@.........e.X.A.%....LFN..&1.&..X.......l.,.T..@....m]`...j...b.s ...c.Z+.N.$..R.@.i..s.H.-....).0W`....I..D.x/xF7.(>.~..LuCf.L$..a...`.}...q....=5.! ..r.........I...6..8.]rnF...j...j5..-...|>....$@.nG.9. .":..!...x<....._.....`7....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-v-ins.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):641
                                                                                                            Entropy (8bit):7.486329990930914
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMf2HcHsH4mHgE42VgbsrP2eByHKk8a4JLk++8/1:HS2H8mJJfIsrueEq9z+c1
                                                                                                            MD5:752E6CDC2C92BF4D22712F33A380CB93
                                                                                                            SHA1:07AC399AD6C9F72E97A1304E1324AD20EB42F633
                                                                                                            SHA-256:3294FEF8285A13B09967D3F631F8CE52C2AACC9A07604CD51B70811BED2ED40E
                                                                                                            SHA-512:9DC2C06873DE889B4E26AA9890B93E6FD37D04C73801865861FA46B95C2011BFEEC94B24F37BBD376C43E993FEE58D1C4A221AF09346CE70AF86BF379BD6CCA2
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....1*........IDAT(Se..k.A...|.n...n..T.%&X.....7.d_.".KA..T.J..Z.....w6D..e.e...=s......S.x..G=.....8"S.%/..|.....8=y1....:2...;.B.(K.I.W.kE../>....Z.r?.7<.~....t...BJ.i../.J...tz......7..!.J,.#..v.....9.Y....YQ....?|t............$V.@....zp...;!TU.M.......A..N.....[..V...&....9..xm..d2F.m..`.N......&.A.DU.....y.4....4....`8...\.|...y...q.]^~......@qXor....Ik..3.@+..V~d...........?7k...`.C.P.ZT.....QF-E.{..+5!... .6..(.i..`m....._~..e.n5.`0..z...Qr..IF.E..9Y.....r~ [.@8...k2*...$....n...orX'#..&........X....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-v-pre.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):556
                                                                                                            Entropy (8bit):7.316549998180671
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMf2H9fw3E/3lkWcxh66ScOaqgx531nDqLwzIdjzRvL77:HS2H9YU/eWIfScvbnDzzchvLH
                                                                                                            MD5:E4118A159AC2AAB1876E440CF770CA3D
                                                                                                            SHA1:27A28242395D33530A955D2D6FE479A9D45DB0CC
                                                                                                            SHA-256:08268FF255BFD01B6AA0184ECD06B5A0C48D016BC429D3B155B7149A8CD10FDF
                                                                                                            SHA-512:611EAC1EB04097730CD7B8D9C52FF7DA5D2F741E8C4A54F291C0137B75DD326F42CF35AEDBDB17D153BA20845904BE9F1F3753069B36D3050E907FA5C3D3461A
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0;..]....IDAT(SmR-o.A....;.8.5.....T..V`+....6.....L-..... ...Q........L2...y3ogF;..BI.Rq5M{.u.t8...3......{..j3..) @O.|$...b..q..z.......F3$x....$.4..l6...[.B..<...R4..E....k.r.E.^.X.K..b...|...J0..F.g..y&.TM&.n>.......).@[Uv.Gx...z...G)..X.hT.-,...XL...V....\.g.W....).. ."..<..Z.N.j.d..a...D..8).L.`...b.F{0.<b..A0.DUB.J:..I.mr.....t-f..V+.d...|.....n~....g.....~NW.'...t:c.....R)....(.d..v.`...V...e.f.!........)...[..-./..._x=t<....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-v.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):551
                                                                                                            Entropy (8bit):7.319024742694981
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMf2HRd4HSOKRcIzpsbPjUdb4pndLBaXeeFUDqtCmN09:HS2HRd4HSBR5KbPognzadIb
                                                                                                            MD5:731657BF68ECC98F0DBE29095CCB88F7
                                                                                                            SHA1:D3B49C3AD148EC96F3088371715121D32EAA7843
                                                                                                            SHA-256:F95DA774191F393BA0EB0436B4CB22920C5F880ED51010177E6E9189CD36C44A
                                                                                                            SHA-512:DE50FC25578922C8BE31D869B70FC0559C965022D6BCCF71DE6CDD541B424DB67E1AE1032AEBAAE03DF66744A27344194AA7994C9CE84317D1AFD1B437D9AA9E
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....04.k......IDAT(..R.j.Q..}..z.%..h.N..OHa../H.......E>!HPl...F\.+n|f..1.*......9.v.\H.Z.&4M{.u.~>.....w>w....v...)"......"...a....@....n.kN.`.kH.)...K..kY..N.0..#1...=..s...A..0M.\..p%.R...B.b..f3..........."......q.J&...).N.b....5A......@.&.c.!.d...\.Z.Vu..V....."H.xO$...e.HX,....WL.`....F....."...m[bu..c.B.u.u..PB..4...U..._.]..*....KY...l<..a .v..>.s.4.....f#..}0..d2.8A#......*wUU...}.N.?.p=rlJ+.J.n..J#.......7\.R.-.c%....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\trough2-h.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):437
                                                                                                            Entropy (8bit):7.172409807946269
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMfbllRNTwF4Aca6vxsbrVnsgP7F9J6Jz17:HSbHRhwF4A56vuZ/Z6t17
                                                                                                            MD5:E51360FDC759C15DEF4ED591275F6E37
                                                                                                            SHA1:723E725BAB93316AA5CBEEAF65A782777DD28983
                                                                                                            SHA-256:559FD805D661B05A7B67119EF93067D6BF076D5A92470F343332D80EB6C67168
                                                                                                            SHA-512:8BE34022F9188993A642A10A31D3AA05865254C69134726F5C1891E6537AF94A6E625D63A6E8D3C058A10E49A60D03C407AD8D6D70F09452D91957680D99E115
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME........Oj....5IDAT(..IN.@........7n.....\.3@....0&2...._./..J.Tu..5.8.fQ...;......|....*...[.$..>.#..z_A.,....|;.i.^.2^...5...R..U..y.,.8<...<.-;cJ)..E.(.0.....Z.s]..B....:..1.;dud...P..D.G.J..4Ml/.l..!.3.H....q.I..H..a.....I.uK`..^ ...s...2gL..\..(h@!.....R(S...8....a...K.kAf..."V.h0...N?v..}.~..c...t$!&.lo?..z...qm....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\trough2.png (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                            Category:dropped
                                                                                                            Size (bytes):434
                                                                                                            Entropy (8bit):7.191504491746101
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:6v/7iIGMfbllDGOEGFo+bciyq44LnHolz:HSbHCOEUo/W4EHa
                                                                                                            MD5:7E5A76C4CF167C7549FAD937DC8B3DA3
                                                                                                            SHA1:7BDBE8BE6737C51C292AA8F51F9586DB0432AB39
                                                                                                            SHA-256:77D9DBC6CC93882EEC1BA969D14AD6C0FDEFE35302F0F930751C4B5BAED2ABFE
                                                                                                            SHA-512:30D230F3F7A62425D92B5227D482E000741C34769BB88CB0F4EDABA782D3834892D9C0A1BC4468DA667951FF489453FD2B3B426ADC38BF6BA5EA34CEEACCC077
                                                                                                            Malicious:false
                                                                                                            Preview:.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME........A.....2IDAT(...j.@...O..b......l..>....v..U.....X.t.L....x.{.Q.n....A.m/).jG-..)..~....2-...Ey..jQY....u=4Mcr......<.i..7.....*.....(..s..i....*.+.......!...^V.v.. .f..b1H..E.Yh.w.........7..$...5..R.....f.~.T.l+..^.<.....'&I.1..pG'...i...d2.0...DQt..Yny.".`]....%@.)?L;.u..........yK.....s~.}...?.8.Ty2y.....IEND.B`.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-03BMD.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-15PAO.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):24
                                                                                                            Entropy (8bit):4.136842188131013
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAqRv:1+MJ
                                                                                                            MD5:2BE834BAC02BFB69E1E7935A62A6B8FB
                                                                                                            SHA1:6165F776AC298A991E497B03E9C2E1797ED81029
                                                                                                            SHA-256:113DBDDEAEE29ED930AF404A0C0D5356A95D9D1B53BAE343F2782A29B5D4DBC9
                                                                                                            SHA-512:1F3BC0176EC15394E6CAD295A077F33C66BD9FEA4598715B5EDED4DDE397DE519FFC6D171E9DB53A09A50929FE6D8EDE5D4D51B5B786A0C3BE6481CB7A5BA4FC
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Light.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-2PCU0.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15316
                                                                                                            Entropy (8bit):5.284681761910495
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nsm8NYR/fiYDFDXMXRNAs38FfCVn4BT0liTv:s/nP00iYZXMX/38F4e0l0
                                                                                                            MD5:2A29C612DFF9BA6163D34194964B7EF2
                                                                                                            SHA1:D16222891914A017082B2DD5B65645DF15F1E1F2
                                                                                                            SHA-256:8ABB9629C678F47070BA7E2AEF63F69FA62ECB2E4FF47AD64A0D97852EC5C934
                                                                                                            SHA-512:D3F9016775265CC081569F90F57BEB8ECACF4A4A38A6CE3649DC6941C89CB1C7A601ADC5BC6C19660A3B885085A603E8FD5F0B0C30EA829D935214117FCAE599
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#800000\nrt_base_color:#525252\nrt_fg_color:#979797\nrt_tooltip_fg_color:#A0A0A0\nrt_selected_bg_color:#703535\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-2SKV0.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15314
                                                                                                            Entropy (8bit):5.284250344836985
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nuvm8NYR/fiYdMWIXMXPNAs38FfCVn4BT0liTv:s/nuO00iYuXMX538F4e0l0
                                                                                                            MD5:151BF1A6D7402308311AE0CB91126354
                                                                                                            SHA1:59ED51C10C3A2327BF4A681B6760D5261D8ADAB4
                                                                                                            SHA-256:3FA682AEC3BE1CF88F090DE3AA1C29043EA854F67681E1A4988ED9B5EEE12E0F
                                                                                                            SHA-512:0C9347BAAE733A3FCB6B0B97FDF964474A6703288E8AFB1CF7D34B08128C50CF7FEFCE1246A552FB335DFD9CECE3697C5F30A4B3B5832B92DFB7FCE25BB2201F
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#800000\nrt_base_color:#404040\nrt_fg_color:#808080\nrt_tooltip_fg_color:#D2D2D2\nrt_selected_bg_color:#502828\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-5EMLQ.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15316
                                                                                                            Entropy (8bit):5.285295459413386
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nFm8NYR/fiYDFDXMXRNAs38FfCVn4BT0liTv:s/nQ00iYZXMX/38F4e0l0
                                                                                                            MD5:0CF26C1BADDF39571F585154655499AD
                                                                                                            SHA1:4E7D1A090064F5FFE2D52DCF36C709E79FAFEF1E
                                                                                                            SHA-256:8A856FF0BD64F6B664FEFB5169DFF7DFA2AAE97473AA816FE0581E3D143BC4A6
                                                                                                            SHA-512:484D0505892922C4E177A9D2E1ACBB4A79FCED4C74308A46EF7513ED86ACDD88980B2009A2045DA990019EBCF74B5586DF54DD1D25BDA781B1235CA7D526E413
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#843382\nrt_base_color:#525252\nrt_fg_color:#979797\nrt_tooltip_fg_color:#A0A0A0\nrt_selected_bg_color:#5D235C\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-6CR5F.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-6GU1S.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):3276
                                                                                                            Entropy (8bit):5.106247394055059
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:9yjeGR/K4ysHjBcKKFyY+fwVsFcDIYMkSnvRN55FQcsFnZFnFveKW+dFKeQFqer/:sjbR/njBz1QsFcUYnSR3QzwLwS
                                                                                                            MD5:72CACEE801EFA43AE137706B6A355D87
                                                                                                            SHA1:20AB5543B96FB36AE8540DF45022229E0A1EE780
                                                                                                            SHA-256:72EC12AEC248C88FA8D0EC7D3185F74006E45D092736B9EF8C15692C69A1355E
                                                                                                            SHA-512:FB2769296F2CF702E7387B6F959FE02EFC2AC96C9E782472C6CA93BD9E8C76FBE2BD725AF227E7444452735B96757C3ACFF51BE5D6A1FB6226E5FD7583D00FC6
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "salt_pinch:#95B0DB\nbase_color:#dddddd\nfg_color:#0A0A0A\ntooltip_fg_color:#000000\nselected_bg_color:#95B0DB\nselected_fg_color:#FFFFFF\ntext

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-8TP86.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-92PNG.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-E80I1.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):22741
                                                                                                            Entropy (8bit):5.302263346106244
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nSm8PYRhznY/rgXbXRN0s38FfCVs4BT0lUTv:s/nJCCnYsXbX738Ffe0le
                                                                                                            MD5:44C5F257A2270D848CD5E44C7A2BFF03
                                                                                                            SHA1:9897E8208E3E3BF72B033D836CE1D01BE4941C75
                                                                                                            SHA-256:26DB2B06594083CC13085C8ABC903D27922F8405102A864102073D76D97F673B
                                                                                                            SHA-512:3D04E0E82D01691AE2DF289F7A7CED2E0219375296ED28157B90D223897066E825FD43577A0D1736BD1432F2081BF7966567DC64EE933BF687F74A58A9D8C968
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#800000\nrt_base_color:#707070\nrt_fg_color:#A9A9A9\nrt_tooltip_fg_color:#A5A5A5\nrt_selected_bg_color:#562020\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-EUQ9P.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-G0T1P.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15240
                                                                                                            Entropy (8bit):5.281913881221162
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nQm8VYR/fiYMFxNps38FfPVn4BT0liTv:s/nz6aiYB38Fle0l0
                                                                                                            MD5:9C5CADE2B535F72CC5A000689CB9A2D3
                                                                                                            SHA1:CC83D5469CD0DDFD46774FD2651F00AB88B59D7C
                                                                                                            SHA-256:7D42948CBA0A1C72A7904B0280B25039A397AC8FFBD9F392FF848784D8A73CE9
                                                                                                            SHA-512:C8E4679345C92BABCBEA7DAE0A8FB316BBD6009AB8C2FB6277BBB0DEB0F07CB62382A09150B6D37EBE85AC562A366FC8417F31BAA5A7322E46A2ACBC2F056E42
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#B0B0B0\nrt_base_color:#1A1A1A\nrt_fg_color:#909090\nrt_tooltip_fg_color:#1A1A1A\nrt_selected_bg_color:#4A4A4A\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-GNMBV.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-K9FH3.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):24
                                                                                                            Entropy (8bit):4.136842188131013
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAqRv:1+MJ
                                                                                                            MD5:2BE834BAC02BFB69E1E7935A62A6B8FB
                                                                                                            SHA1:6165F776AC298A991E497B03E9C2E1797ED81029
                                                                                                            SHA-256:113DBDDEAEE29ED930AF404A0C0D5356A95D9D1B53BAE343F2782A29B5D4DBC9
                                                                                                            SHA-512:1F3BC0176EC15394E6CAD295A077F33C66BD9FEA4598715B5EDED4DDE397DE519FFC6D171E9DB53A09A50929FE6D8EDE5D4D51B5B786A0C3BE6481CB7A5BA4FC
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Light.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-KCVER.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):24
                                                                                                            Entropy (8bit):4.136842188131013
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAqRv:1+MJ
                                                                                                            MD5:2BE834BAC02BFB69E1E7935A62A6B8FB
                                                                                                            SHA1:6165F776AC298A991E497B03E9C2E1797ED81029
                                                                                                            SHA-256:113DBDDEAEE29ED930AF404A0C0D5356A95D9D1B53BAE343F2782A29B5D4DBC9
                                                                                                            SHA-512:1F3BC0176EC15394E6CAD295A077F33C66BD9FEA4598715B5EDED4DDE397DE519FFC6D171E9DB53A09A50929FE6D8EDE5D4D51B5B786A0C3BE6481CB7A5BA4FC
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Light.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-LL0NC.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-LR924.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15079
                                                                                                            Entropy (8bit):5.28265925029125
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:s/n/sMm84wYR/J5iYY5M8Ex8BDNRoXPkXPiSc3d/KbjcW6Nn4B80lkGSrT9xIHtw:s/nlm8NYR/fiYzRXMXcNLWE4B80lAT9
                                                                                                            MD5:5C5BBA3EB67B730F9D27613787AD56C1
                                                                                                            SHA1:780C18DC24B087D6546DF76F3B6146A6063C62D6
                                                                                                            SHA-256:D81FE559C6EA8111E29EB676F1F861982885C05BA9C6126B503293883190B82A
                                                                                                            SHA-512:EDE31EED39D520618E311EB8F6ADD2B9165A1B7085BB14FC463E9213C4C1569FE8F75E74B12A87F0504AFDDECA65FF6843443EB1B949A1F5AB05CE2DE3C8A2A3
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#95B0DB\nrt_base_color:#dddddd\nrt_fg_color:#0A0A0A\nrt_tooltip_fg_color:#000000\nrt_selected_bg_color:#95B0DB\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-NHCLN.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15239
                                                                                                            Entropy (8bit):5.282174443982065
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nmm8VYR/fiYMFxNps38FfPVn4BT0liTv:s/nN60iYB38Fle0l0
                                                                                                            MD5:C3269CDBA36C727D93539A43D317F22D
                                                                                                            SHA1:46BDA5118D7B46D5BD440BB07A20C0B579E7E9C3
                                                                                                            SHA-256:CA57AF744007A9A701689FD379642707208098E4E0FB22CDE4A772E90C19BE0C
                                                                                                            SHA-512:692307A48C72346006755CDDE3A537CCAD4B837CF77F58D9B86F3CCAD421C3D0A346D9D3A874EC37B3F874C7130CF4CEA044CBC694B189D649500734E394CEC4
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#800000\nrt_base_color:#1A1A1A\nrt_fg_color:#909090\nrt_tooltip_fg_color:#1A1A1A\nrt_selected_bg_color:#703535\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-NU2HI.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-PG7M2.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-PL5TA.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-QBCU5.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15008
                                                                                                            Entropy (8bit):5.270725103917416
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nUm8NYR/fiYM8LXMX5fs38Ffx4Bf0lAT9:s/nX00iY/XMXq38FxK0lq
                                                                                                            MD5:64C98ACB587FC7E4F237EADAA84A591D
                                                                                                            SHA1:B92C3D066E67FC230D56E690AE1CC21222265614
                                                                                                            SHA-256:6E8E87C68E7EFC5CCF8694042649DE3EBA01EC1DF242C22D40842AF885D1118D
                                                                                                            SHA-512:B1542C0E3D5411CD8581150FE2D81401C93686E7E43754E8BF8F78ACBEB73A041F7D9223D7DC8072C132273D1DB6EB9917ED04F9F2123C1CEA4062E59CD7F129
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_base_color:#ffffff\nrt_fg_color:#101010\nrt_tooltip_fg_color:#000000\nrt_selected_bg_color:#7C99AD\nrt_selected_fg_color:#ffffff\nrt_text_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-RBVLE.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15436
                                                                                                            Entropy (8bit):5.281175225799727
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nSm8NYRhznYEFEXbXRN0s38FfCVs4BT0liTv:s/nJ0CnYFXbX738Ffe0l0
                                                                                                            MD5:5326376204234C52BF4638EED7E78F79
                                                                                                            SHA1:6F52624611F604634EC2C2CB3248B826EFE1CB3C
                                                                                                            SHA-256:85E35BC02C414BB40D2E06BD827C4DD24E42F39BACF51281BDD33E88C5A0E557
                                                                                                            SHA-512:CC778FCBA32A975BE9431B9F6AD76DF4145CF29B8D133BC375EE12DB675B7E837CFEC916A1049572FEBEA6F70D8911B378BE6CBE7569E293D90FB3F118C1AD91
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#800000\nrt_base_color:#707070\nrt_fg_color:#A9A9A9\nrt_tooltip_fg_color:#A5A5A5\nrt_selected_bg_color:#562020\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-RI0VT.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15239
                                                                                                            Entropy (8bit):5.282699280859126
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nDm8VYR/fiYMFxNps38FfPVn4BT0liTv:s/ny60iYB38Fle0l0
                                                                                                            MD5:D5211F2DA91C68A3C5AEFE99F8881134
                                                                                                            SHA1:E41A6DCEB922123B87B517C1150F84E7995589D8
                                                                                                            SHA-256:57B4F9C0373DEE96BD5099A5D1D82AB88BFCD1C880089418B1CA5E9D57C7E575
                                                                                                            SHA-512:E7BCDDA191F4FD390E0D388D442056495DA1C7A2301762BD116E838728B32F1CA992389CE9C5C692E34F46F023010661FC67B18B7B0E4D6467D47D5E4CFC2709
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#843382\nrt_base_color:#1A1A1A\nrt_fg_color:#909090\nrt_tooltip_fg_color:#1A1A1A\nrt_selected_bg_color:#5D235C\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-T5C0L.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23
                                                                                                            Entropy (8bit):3.9690016298759936
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAzOv:1+pOv
                                                                                                            MD5:F65E7C074167CF02D1A9405A623A5D43
                                                                                                            SHA1:0B62AD68856BF58583D295293961EA942DBE27EC
                                                                                                            SHA-256:EE963FB39C318C76E975083B1BB91413AFD02BEDEE712DE485BC1E5BE62BBE2D
                                                                                                            SHA-512:E595E7F7C773335A1450309777F79F2005E7BFD6B0D9E4C0985C6FA669776AE3043098C32D3D2AE08E471DC2A7029D231A7D3F92D83964195DDBC960BA4ED3F5
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Dark.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-T9462.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15316
                                                                                                            Entropy (8bit):5.285205732529683
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nfm8NYR/fiY3FIXMXRNAs38FfCVn4BT0liTv:s/ne00iYmXMX/38F4e0l0
                                                                                                            MD5:D7F0E29E72DD6DA10FCD68F9CB000306
                                                                                                            SHA1:6D1350F4EB13226E24BEE8CCFDC263F60378736B
                                                                                                            SHA-256:8C9BB9F265CFF75693F8931DA1394C4570EC2B7659513191FE8C3FB714A5689D
                                                                                                            SHA-512:541BA15E9F02D24A63B1246C86E934C39B3CDDDAAFAB683AE9D9459BC2105C5F0B401E111BE3663397C08774D4CC5D3A11AC31B40E250DA863C17B063247C003
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#606060\nrt_base_color:#525252\nrt_fg_color:#979797\nrt_tooltip_fg_color:#A0A0A0\nrt_selected_bg_color:#606060\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-VUKU1.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15239
                                                                                                            Entropy (8bit):5.282415689355835
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:s/nvm8VYR/fiYMFxNps38FfPVn4BT0liTv:s/nO60iYB38Fle0l0
                                                                                                            MD5:3E78B1EB9CF6F1C5BD2C3C0D8FD0CF63
                                                                                                            SHA1:66102FFCE69EE1042CA4CF8AE458E812255804F6
                                                                                                            SHA-256:5FFFC48BBC55B5EA0A6940465F6CBE17DB8C962CFE877ACEEDD46C1B0501E56F
                                                                                                            SHA-512:DC01DFB88CEFDEFD33B9C989006EF0E79110E6F5BE61D23336AD7CC2D936C8283C49F3D1ABBEED2BF05C751E1D19F49B1363905AB1EBB828FC39DA8576772ACD
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_salt_pinch:#FF8000\nrt_base_color:#1A1A1A\nrt_fg_color:#909090\nrt_tooltip_fg_color:#1A1A1A\nrt_selected_bg_color:#B3641B\nrt_selected_fg_c

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\slim (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):3276
                                                                                                            Entropy (8bit):5.106247394055059
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:9yjeGR/K4ysHjBcKKFyY+fwVsFcDIYMkSnvRN55FQcsFnZFnFveKW+dFKeQFqer/:sjbR/njBz1QsFcUYnSR3QzwLwS
                                                                                                            MD5:72CACEE801EFA43AE137706B6A355D87
                                                                                                            SHA1:20AB5543B96FB36AE8540DF45022229E0A1EE780
                                                                                                            SHA-256:72EC12AEC248C88FA8D0EC7D3185F74006E45D092736B9EF8C15692C69A1355E
                                                                                                            SHA-512:FB2769296F2CF702E7387B6F959FE02EFC2AC96C9E782472C6CA93BD9E8C76FBE2BD725AF227E7444452735B96757C3ACFF51BE5D6A1FB6226E5FD7583D00FC6
                                                                                                            Malicious:false
                                                                                                            Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "salt_pinch:#95B0DB\nbase_color:#dddddd\nfg_color:#0A0A0A\ntooltip_fg_color:#000000\nselected_bg_color:#95B0DB\nselected_fg_color:#FFFFFF\ntext

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\themes\system.iconset (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):24
                                                                                                            Entropy (8bit):4.136842188131013
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1ERdiAqRv:1+MJ
                                                                                                            MD5:2BE834BAC02BFB69E1E7935A62A6B8FB
                                                                                                            SHA1:6165F776AC298A991E497B03E9C2E1797ED81029
                                                                                                            SHA-256:113DBDDEAEE29ED930AF404A0C0D5356A95D9D1B53BAE343F2782A29B5D4DBC9
                                                                                                            SHA-512:1F3BC0176EC15394E6CAD295A077F33C66BD9FEA4598715B5EDED4DDE397DE519FFC6D171E9DB53A09A50929FE6D8EDE5D4D51B5B786A0C3BE6481CB7A5BA4FC
                                                                                                            Malicious:false
                                                                                                            Preview:[General].Iconset=Light.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\is-G9DGJ.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):720373
                                                                                                            Entropy (8bit):6.507155477779126
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:Vhu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURFFDExyFZ:nu7eEYCP8trP837szHUA60SLtcV3E9k9
                                                                                                            MD5:74DE04C1DA3B854F12AE2E6C63AACF1D
                                                                                                            SHA1:18B6BEA4B7F04DF51BA3FCE01FDCB2A016714EB1
                                                                                                            SHA-256:CEB3C30CD6ED1CA29EE3A058D953BF2C7FE3B31452B4B8DD219D06D4138310E5
                                                                                                            SHA-512:F9E834F68ADCB2729ADF97AD96CBA376E9639D0348C326A0375B32623BBB5C08C782C5DFCC3505889179E6F9193AF0B8B6508F57D34CCD2F027C7E9A56FC077C
                                                                                                            Malicious:true
                                                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\unins000.dat

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:InnoSetup Log Zexter Video Codec, version 0x30, 14098 bytes, 066656\user, "C:\Users\user\AppData\Local\Zexter Video Codec"
                                                                                                            Category:dropped
                                                                                                            Size (bytes):14098
                                                                                                            Entropy (8bit):5.05852090437408
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:VSyWDKr89HpVoN1Zl9J+eOIhtS3nfXNBtzMV2bwb6wrHve:gyWmrkHpVoNXYHIhwY6cHW
                                                                                                            MD5:6EEAAD2C80C8CE5958CE05F453667A11
                                                                                                            SHA1:9F69D88C27D08CCC785AF90B4279D8E68DB664C4
                                                                                                            SHA-256:CD137533EE89F248082BD0AEEA5B93D8BBFA10A8C141FA268FC9723F35B596B0
                                                                                                            SHA-512:E7AEB3AC4F24FE89C0B381F5F92C1FB83185B6EE5D087AC7CCE55DD96392AD275B3C398B4942D28DBF099BE51640DA71E3A24418D84709CD5A01A68FA003B4A1
                                                                                                            Malicious:false
                                                                                                            Preview:Inno Setup Uninstall Log (b)....................................Zexter Video Codec..............................................................................................................Zexter Video Codec..............................................................................................................0...}....7..%.................................................................................................................<T..........0V......O....066656.user/C:\Users\user\AppData\Local\Zexter Video Codec.............9.5.. ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32.

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\unins000.exe (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):720373
                                                                                                            Entropy (8bit):6.507155477779126
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:Vhu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURFFDExyFZ:nu7eEYCP8trP837szHUA60SLtcV3E9k9
                                                                                                            MD5:74DE04C1DA3B854F12AE2E6C63AACF1D
                                                                                                            SHA1:18B6BEA4B7F04DF51BA3FCE01FDCB2A016714EB1
                                                                                                            SHA-256:CEB3C30CD6ED1CA29EE3A058D953BF2C7FE3B31452B4B8DD219D06D4138310E5
                                                                                                            SHA-512:F9E834F68ADCB2729ADF97AD96CBA376E9639D0348C326A0375B32623BBB5C08C782C5DFCC3505889179E6F9193AF0B8B6508F57D34CCD2F027C7E9A56FC077C
                                                                                                            Malicious:true
                                                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:modified
                                                                                                            Size (bytes):3022336
                                                                                                            Entropy (8bit):7.1621335495556915
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:49152:LvuOCl8ZHuL49v5Z3GCWLV9/OPKRsPbxTM3aDM1mxKD9PfcH89hsa5yPM28go:LvuuZE49TGnLV9/OiRsPbxTM3aDrKD5F
                                                                                                            MD5:C84C1723350D751DF4CA78CC230B5EA7
                                                                                                            SHA1:BB32FA00AB20A534B453224CF0B921824E67FC31
                                                                                                            SHA-256:F1F987CA137B5D370088685C6921EEA43CC3A5FC47493EDFB60AAE4B201E1E97
                                                                                                            SHA-512:F673D5518BB29983C9243C9E69659A688441D2F51E89B9FFAF8856B2B454DCBE893F4BECD89DC5C11BF7C30262A9296A10DAEC2ED29F186D71161BE96FAA18B6
                                                                                                            Malicious:true
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...L..L..................".........(."......."...@.........................................................................."......p#..............................................................................."..............................text.....".......".................`....rdata........".......".............@..@.data....d....#..0....".............@....rsrc........p#.......#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Zexter Video Codec\zlib1.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):98626
                                                                                                            Entropy (8bit):6.478068795827396
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:HDuZqv5WNPuWOD+QZ7OWN4oOlatKZ2XGnToIfQIOEIOGxpdo4VoWsj:r9P6WN4wyTBfGqGxpdo4VoB
                                                                                                            MD5:70CA53E8B46464CCF956D157501D367A
                                                                                                            SHA1:AE0356FAE59D9C2042270E157EA0D311A831C86A
                                                                                                            SHA-256:4A7AD2198BAACC14EA2FFD803F560F20AAD59C3688A1F8AF2C8375A0D6CC9CFE
                                                                                                            SHA-512:CB1D52778FE95D7593D1FDBE8A1125CD19134973B65E45F1E7D21A6149A058BA2236F4BA90C1CE01B1B0AFAD4084468D1F399E98C1F0D6F234CBA023FCC7B4AE
                                                                                                            Malicious:false
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....='=.x..=......#.........t.....................c.......................................... .................................8...............................0...................................................0................................text...t...........................`.P`.data... ...........................@.0..rdata...M.......N..................@.`@/4......t&...P...(...4..............@.0@.bss..................................`..edata...............\..............@.0@.idata..8............f..............@.0..CRT....,............n..............@.0..tls.... ............p..............@.0..reloc..0............r..............@.0B................................................................................................................................................................................................................................

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Entropy (8bit):7.9995248545747035
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                                                            • Inno Setup installer (109748/4) 1.08%
                                                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                            File name:noode.exe
                                                                                                            File size:8'037'905 bytes
                                                                                                            MD5:8d369c7a83bea4727ab814c6e09ea24e
                                                                                                            SHA1:918e3271610b1e2fb46e2e18b1f9f4ca3aa60d83
                                                                                                            SHA256:36024fb876d8059740b825f25de708368a223bbbacf02d73d003d4e4eeb88657
                                                                                                            SHA512:c8732a74364fc418efa91fde533d21a2cfa493eac54b52a6b9f8b1d5b4741278d57a83eeb5599c54a72c785851b609ccf55bd342fde04ab3e9d0d75fa843693e
                                                                                                            SSDEEP:196608:UeY3AFw/Uk8CWjhkURk4OT85To0MNLCEeTgt52f4ivvYlB/VzTNAQLZLySR:UZ3ArVqg58NLtTv2tvvYv/FRAOtySR
                                                                                                            TLSH:AC863323D280E13CE1189E38A964D3BC88727E310AF6517C26DE6D57F76E5125E363B2
                                                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                            File Icon

                                                                                                            Icon Hash:2d2e3797b32b2b99

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x409c40
                                                                                                            Entrypoint Section:CODE
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:1
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:1
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:1
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            push ebp
                                                                                                            mov ebp, esp
                                                                                                            add esp, FFFFFFC4h
                                                                                                            push ebx
                                                                                                            push esi
                                                                                                            push edi
                                                                                                            xor eax, eax
                                                                                                            mov dword ptr [ebp-10h], eax
                                                                                                            mov dword ptr [ebp-24h], eax
                                                                                                            call 00007FB3ACB9C84Bh
                                                                                                            call 00007FB3ACB9DA52h
                                                                                                            call 00007FB3ACB9DCE1h
                                                                                                            call 00007FB3ACB9FD18h
                                                                                                            call 00007FB3ACB9FD5Fh
                                                                                                            call 00007FB3ACBA268Eh
                                                                                                            call 00007FB3ACBA27F5h
                                                                                                            xor eax, eax
                                                                                                            push ebp
                                                                                                            push 0040A2FCh
                                                                                                            push dword ptr fs:[eax]
                                                                                                            mov dword ptr fs:[eax], esp
                                                                                                            xor edx, edx
                                                                                                            push ebp
                                                                                                            push 0040A2C5h
                                                                                                            push dword ptr fs:[edx]
                                                                                                            mov dword ptr fs:[edx], esp
                                                                                                            mov eax, dword ptr [0040C014h]
                                                                                                            call 00007FB3ACBA325Bh
                                                                                                            call 00007FB3ACBA2E8Eh
                                                                                                            lea edx, dword ptr [ebp-10h]
                                                                                                            xor eax, eax
                                                                                                            call 00007FB3ACBA0348h
                                                                                                            mov edx, dword ptr [ebp-10h]
                                                                                                            mov eax, 0040CE24h
                                                                                                            call 00007FB3ACB9C8F7h
                                                                                                            push 00000002h
                                                                                                            push 00000000h
                                                                                                            push 00000001h
                                                                                                            mov ecx, dword ptr [0040CE24h]
                                                                                                            mov dl, 01h
                                                                                                            mov eax, 0040738Ch
                                                                                                            call 00007FB3ACBA0BD7h
                                                                                                            mov dword ptr [0040CE28h], eax
                                                                                                            xor edx, edx
                                                                                                            push ebp
                                                                                                            push 0040A27Dh
                                                                                                            push dword ptr fs:[edx]
                                                                                                            mov dword ptr fs:[edx], esp
                                                                                                            call 00007FB3ACBA32CBh
                                                                                                            mov dword ptr [0040CE30h], eax
                                                                                                            mov eax, dword ptr [0040CE30h]
                                                                                                            cmp dword ptr [eax+0Ch], 01h
                                                                                                            jne 00007FB3ACBA340Ah
                                                                                                            mov eax, dword ptr [0040CE30h]
                                                                                                            mov edx, 00000028h
                                                                                                            call 00007FB3ACBA0FD8h
                                                                                                            mov edx, dword ptr [00000030h]

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            CODE0x10000x93640x94002c410dfc3efd04d9b69c35c70921424eFalse0.6147856841216216data6.560885192755103IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            DATA0xb0000x24c0x400d5ea23d4ecf110fd2591314cbaa84278False0.310546875data2.7390956346874638IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            BSS0xc0000xe880x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0x110000x2c000x2c0092146cf9fa13c3912a304d660fbbe315False0.32270951704545453data4.459519332417196IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                                            RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                                            RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                                            RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                                            RT_STRING0x125740x2f2data0.35543766578249336
                                                                                                            RT_STRING0x128680x30cdata0.3871794871794872
                                                                                                            RT_STRING0x12b740x2cedata0.42618384401114207
                                                                                                            RT_STRING0x12e440x68data0.75
                                                                                                            RT_STRING0x12eac0xb4data0.6277777777777778
                                                                                                            RT_STRING0x12f600xaedata0.5344827586206896
                                                                                                            RT_RCDATA0x130100x2cdata1.2045454545454546
                                                                                                            RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                                                            RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States0.2764900662251656
                                                                                                            RT_MANIFEST0x135340x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                                                            user32.dllMessageBoxA
                                                                                                            oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                                                            kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                                            user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                                                            comctl32.dllInitCommonControls
                                                                                                            advapi32.dllAdjustTokenPrivileges

                                                                                                            Possible Origin

                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                            DutchNetherlands
                                                                                                            EnglishUnited States

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-10-02T17:21:55.285352+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249720185.208.158.24880TCP
                                                                                                            2024-10-02T17:21:56.125364+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249721185.208.158.24880TCP
                                                                                                            2024-10-02T17:21:56.932996+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249722185.208.158.24880TCP
                                                                                                            2024-10-02T17:21:57.287370+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249722185.208.158.24880TCP
                                                                                                            2024-10-02T17:21:58.138415+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249723185.208.158.24880TCP
                                                                                                            2024-10-02T17:21:58.944353+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249724185.208.158.24880TCP
                                                                                                            2024-10-02T17:21:59.770625+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249725185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:00.605057+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249726185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:01.427192+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249727185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:02.481291+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249728185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:02.831837+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249728185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:03.671640+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249729185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:04.527040+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249730185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:05.364360+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249731185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:06.205245+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249732185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:07.021817+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249733185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:07.871340+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249734185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:08.692805+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249735185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:09.507246+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249736185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:10.370373+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249737185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:10.728734+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249737185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:11.085726+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249737185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:11.923119+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249738185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:12.974136+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249739185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:13.781574+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249740185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:14.812518+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249741185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:15.656583+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249743185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:16.501887+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249744185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:17.466818+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249745185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:18.323363+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249746185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:18.673759+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249746185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:19.525177+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249747185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:20.385107+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249748185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:20.735908+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249748185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:21.565453+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249749185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:22.422149+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249750185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:23.255503+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249751185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:24.066322+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249752185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:25.108590+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249753185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:25.964085+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249754185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:26.322625+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249754185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:26.675634+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249754185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:27.557410+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249755185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:28.406612+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249756185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:29.259310+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249757185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:30.080552+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249758185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:30.924484+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249759185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:31.736728+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249760185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:32.587248+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249761185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:33.407992+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249762185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:34.237696+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249763185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:35.061508+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249764185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:35.412954+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249764185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:36.270048+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249765185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:37.079194+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249766185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:37.891318+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249767185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:38.711865+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249768185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:39.520385+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249769185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:40.347580+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249770185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:41.166030+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249771185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:41.517925+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249771185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:42.477751+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249772185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:43.334610+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249773185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:44.142875+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249774185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:44.956588+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249775185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:45.780082+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249776185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:46.137153+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249776185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:46.976080+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249777185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:47.786807+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249778185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:48.602361+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249779185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:49.423984+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249780185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:50.250720+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249781185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:51.058937+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249782185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:51.896721+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249783185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:52.732833+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249784185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:53.082067+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249784185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:53.904413+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249785185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:54.736887+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249786185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:55.567627+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249787185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:56.374783+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249788185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:57.210566+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249789185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:58.056379+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249790185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:58.878051+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249791185.208.158.24880TCP
                                                                                                            2024-10-02T17:22:59.691285+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249792185.208.158.24880TCP
                                                                                                            2024-10-02T17:23:00.518928+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249793185.208.158.24880TCP
                                                                                                            2024-10-02T17:23:01.940821+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249794185.208.158.24880TCP
                                                                                                            2024-10-02T17:23:02.775416+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249796185.208.158.24880TCP
                                                                                                            2024-10-02T17:23:03.621208+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.1249797185.208.158.24880TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Oct 2, 2024 17:21:54.571451902 CEST4972080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:54.576491117 CEST8049720185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:54.576600075 CEST4972080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:54.576849937 CEST4972080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:54.581686974 CEST8049720185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:55.284823895 CEST8049720185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:55.285351992 CEST4972080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:55.418169022 CEST4972080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:55.418590069 CEST4972180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:55.423526049 CEST8049720185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:55.423542976 CEST8049721185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:55.423605919 CEST4972080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:55.423667908 CEST4972180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:55.423938990 CEST4972180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:55.428673983 CEST8049721185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:56.125294924 CEST8049721185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:56.125364065 CEST4972180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:56.247322083 CEST4972180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:56.247653961 CEST4972280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:56.252542019 CEST8049721185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:56.252561092 CEST8049722185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:56.252666950 CEST4972180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:56.252693892 CEST4972280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:56.252859116 CEST4972280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:56.257669926 CEST8049722185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:56.932799101 CEST8049722185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:56.932996035 CEST4972280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:57.043400049 CEST4972280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:57.048489094 CEST8049722185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:57.285186052 CEST8049722185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:57.287369967 CEST4972280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:57.403038025 CEST4972280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:57.403347015 CEST4972380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:57.408170938 CEST8049722185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:57.408195972 CEST8049723185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:57.408246994 CEST4972280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:57.408279896 CEST4972380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:57.408431053 CEST4972380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:57.413191080 CEST8049723185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:58.138324976 CEST8049723185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:58.138415098 CEST4972380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:58.261856079 CEST4972380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:58.262248039 CEST4972480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:58.267060995 CEST8049723185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:58.267077923 CEST8049724185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:58.267143011 CEST4972380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:58.267189980 CEST4972480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:58.267374039 CEST4972480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:58.272120953 CEST8049724185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:58.944242954 CEST8049724185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:58.944353104 CEST4972480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:59.058818102 CEST4972480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:59.059237003 CEST4972580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:59.064129114 CEST8049724185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:59.064189911 CEST8049725185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:59.064253092 CEST4972480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:59.064326048 CEST4972580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:59.064527988 CEST4972580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:59.069320917 CEST8049725185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:59.770565033 CEST8049725185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:59.770625114 CEST4972580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:59.886858940 CEST4972580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:59.887170076 CEST4972680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:59.892079115 CEST8049726185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:59.892146111 CEST8049725185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:21:59.892175913 CEST4972680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:59.892208099 CEST4972580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:59.893167973 CEST4972680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:21:59.897943974 CEST8049726185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:00.604753971 CEST8049726185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:00.605057001 CEST4972680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:00.730968952 CEST4972680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:00.731395960 CEST4972780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:00.736165047 CEST8049726185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:00.736193895 CEST8049727185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:00.736222982 CEST4972680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:00.736283064 CEST4972780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:00.737040043 CEST4972780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:00.741859913 CEST8049727185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:01.427088976 CEST8049727185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:01.427191973 CEST4972780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:01.543520927 CEST4972780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:01.544063091 CEST4972880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:01.548726082 CEST8049727185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:01.548913002 CEST4972780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:01.548947096 CEST8049728185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:01.549084902 CEST4972880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:01.549348116 CEST4972880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:01.554136992 CEST8049728185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:02.481178999 CEST8049728185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:02.481291056 CEST4972880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:02.482280016 CEST8049728185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:02.482342958 CEST4972880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:02.590393066 CEST4972880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:02.595381021 CEST8049728185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:02.831512928 CEST8049728185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:02.831836939 CEST4972880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:02.949517965 CEST4972880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:02.949848890 CEST4972980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:02.954708099 CEST8049728185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:02.954797983 CEST4972880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:02.955022097 CEST8049729185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:02.955096960 CEST4972980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:02.955251932 CEST4972980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:02.960217953 CEST8049729185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:03.671544075 CEST8049729185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:03.671639919 CEST4972980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:03.810770988 CEST4972980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:03.811183929 CEST4973080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:03.816776037 CEST8049729185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:03.816829920 CEST8049730185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:03.816860914 CEST4972980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:03.816906929 CEST4973080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:03.817024946 CEST4973080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:03.822117090 CEST8049730185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:04.526818037 CEST8049730185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:04.527040005 CEST4973080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:04.652322054 CEST4973080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:04.652698040 CEST4973180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:04.657604933 CEST8049730185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:04.657650948 CEST8049731185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:04.657713890 CEST4973080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:04.657778978 CEST4973180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:04.657951117 CEST4973180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:04.662769079 CEST8049731185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:05.364103079 CEST8049731185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:05.364360094 CEST4973180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:05.480912924 CEST4973180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:05.481231928 CEST4973280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:05.486113071 CEST8049732185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:05.486124992 CEST8049731185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:05.486176968 CEST4973280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:05.486198902 CEST4973180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:05.486341953 CEST4973280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:05.491286039 CEST8049732185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:06.204998970 CEST8049732185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:06.205245018 CEST4973280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:06.328567028 CEST4973280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:06.329440117 CEST4973380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:06.333869934 CEST8049732185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:06.333961010 CEST4973280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:06.334537029 CEST8049733185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:06.334614038 CEST4973380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:06.334799051 CEST4973380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:06.339644909 CEST8049733185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:07.021503925 CEST8049733185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:07.021816969 CEST4973380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:07.143650055 CEST4973380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:07.144601107 CEST4973480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:07.149091005 CEST8049733185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:07.149269104 CEST4973380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:07.149436951 CEST8049734185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:07.149584055 CEST4973480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:07.150264025 CEST4973480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:07.155111074 CEST8049734185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:07.871171951 CEST8049734185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:07.871340036 CEST4973480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:07.996279001 CEST4973480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:07.996609926 CEST4973580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:08.001449108 CEST8049735185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:08.001482964 CEST8049734185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:08.001583099 CEST4973480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:08.001661062 CEST4973580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:08.002016068 CEST4973580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:08.006931067 CEST8049735185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:08.692656994 CEST8049735185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:08.692805052 CEST4973580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:08.809014082 CEST4973580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:08.809432983 CEST4973680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:08.815675020 CEST8049735185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:08.815778971 CEST4973580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:08.816004992 CEST8049736185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:08.816087008 CEST4973680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:08.816237926 CEST4973680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:08.822958946 CEST8049736185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:09.507175922 CEST8049736185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:09.507246017 CEST4973680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:09.659365892 CEST4973680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:09.659806967 CEST4973780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:09.665443897 CEST8049736185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:09.665458918 CEST8049737185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:09.665554047 CEST4973680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:09.665592909 CEST4973780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:09.666454077 CEST4973780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:09.671901941 CEST8049737185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:10.370194912 CEST8049737185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:10.370373011 CEST4973780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:10.489131927 CEST4973780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:10.494807959 CEST8049737185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:10.728662014 CEST8049737185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:10.728734016 CEST4973780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:10.846329927 CEST4973780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:10.852632046 CEST8049737185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:11.085577965 CEST8049737185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:11.085726023 CEST4973780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:11.205667973 CEST4973780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:11.206631899 CEST4973880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:11.213418007 CEST8049737185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:11.213522911 CEST4973780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:11.214219093 CEST8049738185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:11.214302063 CEST4973880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:11.214560986 CEST4973880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:11.219523907 CEST8049738185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:11.922939062 CEST8049738185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:11.923119068 CEST4973880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:12.263536930 CEST4973880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:12.263933897 CEST4973980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:12.268764973 CEST8049738185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:12.268822908 CEST4973880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:12.268965960 CEST8049739185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:12.269059896 CEST4973980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:12.269401073 CEST4973980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:12.274139881 CEST8049739185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:12.973983049 CEST8049739185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:12.974136114 CEST4973980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:13.091336012 CEST4973980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:13.092269897 CEST4974080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:13.096599102 CEST8049739185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:13.096723080 CEST4973980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:13.097055912 CEST8049740185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:13.097162008 CEST4974080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:13.097531080 CEST4974080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:13.102317095 CEST8049740185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:13.781404972 CEST8049740185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:13.781574011 CEST4974080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:13.911262035 CEST4974080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:13.911808014 CEST4974180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:14.102940083 CEST8049741185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:14.102976084 CEST8049740185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:14.103028059 CEST4974180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:14.103068113 CEST4974080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:14.103898048 CEST4974180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:14.108760118 CEST8049741185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:14.810699940 CEST8049741185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:14.812517881 CEST4974180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:14.933845997 CEST4974180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:14.934272051 CEST4974380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:14.939125061 CEST8049743185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:14.939153910 CEST8049741185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:14.939249039 CEST4974380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:14.939300060 CEST4974180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:14.939477921 CEST4974380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:14.944245100 CEST8049743185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:15.654707909 CEST8049743185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:15.656583071 CEST4974380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:15.778436899 CEST4974380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:15.779323101 CEST4974480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:15.783802032 CEST8049743185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:15.783910036 CEST4974380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:15.784276009 CEST8049744185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:15.784476995 CEST4974480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:15.784713030 CEST4974480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:15.789537907 CEST8049744185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:16.501817942 CEST8049744185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:16.501887083 CEST4974480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:16.621587038 CEST4974480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:16.622144938 CEST4974580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:16.626853943 CEST8049744185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:16.626991987 CEST4974480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:16.627062082 CEST8049745185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:16.627156019 CEST4974580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:16.627410889 CEST4974580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:16.632358074 CEST8049745185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:17.466690063 CEST8049745185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:17.466818094 CEST4974580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:17.591557026 CEST4974580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:17.591947079 CEST4974680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:17.596801996 CEST8049745185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:17.596865892 CEST4974580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:17.597215891 CEST8049746185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:17.597296953 CEST4974680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:17.597507954 CEST4974680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:17.602442980 CEST8049746185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:18.323046923 CEST8049746185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:18.323363066 CEST4974680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:18.434370995 CEST4974680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:18.439577103 CEST8049746185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:18.673602104 CEST8049746185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:18.673758984 CEST4974680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:18.797807932 CEST4974680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:18.798508883 CEST4974780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:18.803406000 CEST8049747185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:18.803508043 CEST4974780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:18.803656101 CEST4974780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:18.808408976 CEST8049747185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:18.808541059 CEST8049746185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:18.808619022 CEST4974680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:19.525067091 CEST8049747185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:19.525177002 CEST4974780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:19.658508062 CEST4974780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:19.659009933 CEST4974880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:19.664074898 CEST8049747185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:19.664120913 CEST8049748185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:19.664165020 CEST4974780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:19.664216042 CEST4974880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:19.665271044 CEST4974880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:19.670113087 CEST8049748185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:20.384814978 CEST8049748185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:20.385107040 CEST4974880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:20.496782064 CEST4974880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:20.501666069 CEST8049748185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:20.735647917 CEST8049748185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:20.735908031 CEST4974880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:20.871875048 CEST4974880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:20.872257948 CEST4974980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:20.877541065 CEST8049748185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:20.877612114 CEST4974880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:20.877868891 CEST8049749185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:20.877944946 CEST4974980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:20.878221989 CEST4974980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:20.883934975 CEST8049749185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:21.565212965 CEST8049749185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:21.565453053 CEST4974980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:21.700979948 CEST4974980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:21.701302052 CEST4975080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:21.706249952 CEST8049750185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:21.706358910 CEST4975080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:21.706398964 CEST8049749185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:21.706448078 CEST4974980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:21.706581116 CEST4975080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:21.711427927 CEST8049750185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:22.422032118 CEST8049750185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:22.422148943 CEST4975080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:22.543457985 CEST4975080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:22.543884039 CEST4975180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:22.549062967 CEST8049750185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:22.549082041 CEST8049751185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:22.549141884 CEST4975080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:22.549189091 CEST4975180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:22.549433947 CEST4975180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:22.554366112 CEST8049751185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:23.255326033 CEST8049751185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:23.255502939 CEST4975180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:23.371705055 CEST4975180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:23.372082949 CEST4975280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:23.376924992 CEST8049752185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:23.376974106 CEST8049751185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:23.377068043 CEST4975280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:23.377105951 CEST4975180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:23.377302885 CEST4975280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:23.382153034 CEST8049752185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:24.066184998 CEST8049752185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:24.066322088 CEST4975280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:24.186198950 CEST4975280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:24.186572075 CEST4975380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:24.418385983 CEST8049753185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:24.418423891 CEST8049752185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:24.418540955 CEST4975280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:24.418569088 CEST4975380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:24.418931007 CEST4975380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:24.423742056 CEST8049753185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:25.108486891 CEST8049753185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:25.108589888 CEST4975380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:25.233616114 CEST4975380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:25.234093904 CEST4975480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:25.238809109 CEST8049753185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:25.238902092 CEST8049754185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:25.238948107 CEST4975380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:25.239031076 CEST4975480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:25.239288092 CEST4975480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:25.244072914 CEST8049754185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:25.963884115 CEST8049754185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:25.964085102 CEST4975480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:26.075743914 CEST4975480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:26.080732107 CEST8049754185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:26.322350025 CEST8049754185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:26.322624922 CEST4975480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:26.434293985 CEST4975480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:26.439486980 CEST8049754185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:26.675345898 CEST8049754185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:26.675633907 CEST4975480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:26.793483019 CEST4975480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:26.793931961 CEST4975580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:26.798728943 CEST8049755185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:26.798861027 CEST4975580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:26.799102068 CEST4975580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:26.803824902 CEST8049755185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:26.809111118 CEST8049754185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:26.809195995 CEST4975480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:27.557333946 CEST8049755185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:27.557410002 CEST4975580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:27.700342894 CEST4975580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:27.700705051 CEST4975680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:27.705566883 CEST8049755185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:27.705583096 CEST8049756185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:27.705661058 CEST4975580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:27.705699921 CEST4975680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:27.705885887 CEST4975680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:27.710637093 CEST8049756185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:28.406485081 CEST8049756185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:28.406611919 CEST4975680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:28.527817011 CEST4975780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:28.530708075 CEST4975680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:28.532845020 CEST8049757185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:28.532939911 CEST4975780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:28.533102036 CEST4975780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:28.536164045 CEST8049756185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:28.536231995 CEST4975680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:28.537861109 CEST8049757185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:29.259200096 CEST8049757185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:29.259310007 CEST4975780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:29.391935110 CEST4975780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:29.392338991 CEST4975880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:29.397195101 CEST8049758185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:29.397226095 CEST8049757185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:29.397283077 CEST4975880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:29.397304058 CEST4975780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:29.397397995 CEST4975880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:29.402178049 CEST8049758185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:30.080368042 CEST8049758185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:30.080552101 CEST4975880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:30.201021910 CEST4975880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:30.201776028 CEST4975980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:30.206383944 CEST8049758185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:30.206485987 CEST4975880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:30.206554890 CEST8049759185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:30.206633091 CEST4975980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:30.206825018 CEST4975980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:30.211671114 CEST8049759185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:30.924400091 CEST8049759185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:30.924484015 CEST4975980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:31.042908907 CEST4975980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:31.043210983 CEST4976080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:31.048065901 CEST8049760185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:31.048135042 CEST4976080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:31.048306942 CEST4976080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:31.048311949 CEST8049759185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:31.048357964 CEST4975980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:31.053071022 CEST8049760185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:31.736641884 CEST8049760185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:31.736727953 CEST4976080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:31.855654001 CEST4976080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:31.855978966 CEST4976180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:31.861013889 CEST8049760185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:31.861043930 CEST8049761185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:31.861108065 CEST4976080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:31.861166000 CEST4976180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:31.861268044 CEST4976180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:31.866137028 CEST8049761185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:32.587048054 CEST8049761185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:32.587248087 CEST4976180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:32.699529886 CEST4976180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:32.699872971 CEST4976280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:32.704731941 CEST8049762185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:32.704816103 CEST4976280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:32.704973936 CEST4976280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:32.705127954 CEST8049761185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:32.705178022 CEST4976180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:32.709846973 CEST8049762185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:33.407902002 CEST8049762185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:33.407991886 CEST4976280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:33.533895969 CEST4976280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:33.534570932 CEST4976380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:33.539119005 CEST8049762185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:33.539248943 CEST4976280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:33.539484024 CEST8049763185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:33.539602041 CEST4976380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:33.539963007 CEST4976380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:33.544735909 CEST8049763185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:34.237572908 CEST8049763185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:34.237695932 CEST4976380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:34.355993986 CEST4976380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:34.356403112 CEST4976480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:34.361241102 CEST8049764185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:34.361363888 CEST4976480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:34.361366987 CEST8049763185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:34.361408949 CEST4976380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:34.361625910 CEST4976480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:34.366461039 CEST8049764185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:35.061338902 CEST8049764185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:35.061507940 CEST4976480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:35.168113947 CEST4976480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:35.173073053 CEST8049764185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:35.412843943 CEST8049764185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:35.412954092 CEST4976480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:35.527468920 CEST4976480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:35.527766943 CEST4976580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:35.532742023 CEST8049765185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:35.532860041 CEST8049764185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:35.532876015 CEST4976580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:35.532917976 CEST4976480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:35.532995939 CEST4976580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:35.537837029 CEST8049765185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:36.269864082 CEST8049765185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:36.270047903 CEST4976580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:36.392836094 CEST4976580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:36.393663883 CEST4976680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:36.398144960 CEST8049765185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:36.398245096 CEST4976580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:36.398473024 CEST8049766185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:36.398549080 CEST4976680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:36.398720026 CEST4976680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:36.403517962 CEST8049766185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:37.079106092 CEST8049766185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:37.079194069 CEST4976680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:37.199588060 CEST4976680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:37.199867964 CEST4976780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:37.204729080 CEST8049767185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:37.204744101 CEST8049766185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:37.204797029 CEST4976780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:37.204828978 CEST4976680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:37.205013990 CEST4976780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:37.209718943 CEST8049767185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:37.891074896 CEST8049767185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:37.891318083 CEST4976780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:38.011580944 CEST4976780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:38.011904001 CEST4976880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:38.016855955 CEST8049767185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:38.016875982 CEST8049768185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:38.016983032 CEST4976780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:38.017014027 CEST4976880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:38.017165899 CEST4976880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:38.021929979 CEST8049768185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:38.711765051 CEST8049768185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:38.711864948 CEST4976880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:38.824578047 CEST4976880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:38.826205969 CEST4976980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:38.829756021 CEST8049768185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:38.829849958 CEST4976880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:38.831378937 CEST8049769185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:38.831612110 CEST4976980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:38.831613064 CEST4976980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:38.836499929 CEST8049769185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:39.520319939 CEST8049769185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:39.520385027 CEST4976980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:39.636782885 CEST4976980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:39.637197971 CEST4977080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:39.642102003 CEST8049769185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:39.642148018 CEST8049770185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:39.642209053 CEST4976980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:39.642268896 CEST4977080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:39.642401934 CEST4977080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:39.647265911 CEST8049770185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:40.347470045 CEST8049770185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:40.347579956 CEST4977080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:40.469517946 CEST4977080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:40.470463037 CEST4977180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:40.474891901 CEST8049770185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:40.474997044 CEST4977080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:40.475291967 CEST8049771185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:40.475375891 CEST4977180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:40.475563049 CEST4977180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:40.480396986 CEST8049771185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:41.165951967 CEST8049771185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:41.166029930 CEST4977180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:41.280288935 CEST4977180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:41.285259008 CEST8049771185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:41.517831087 CEST8049771185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:41.517925024 CEST4977180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:41.637242079 CEST4977180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:41.637540102 CEST4977280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:41.642420053 CEST8049772185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:41.642540932 CEST4977280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:41.642553091 CEST8049771185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:41.642616034 CEST4977180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:41.642621040 CEST4977280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:41.647614956 CEST8049772185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:42.477447987 CEST8049772185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:42.477751017 CEST4977280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:42.631689072 CEST4977280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:42.631997108 CEST4977380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:42.636970043 CEST8049772185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:42.637053013 CEST4977280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:42.637109041 CEST8049773185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:42.637180090 CEST4977380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:42.641388893 CEST4977380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:42.646559954 CEST8049773185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:43.334400892 CEST8049773185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:43.334609985 CEST4977380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:43.449265957 CEST4977380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:43.449548006 CEST4977480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:43.454406023 CEST8049774185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:43.454483986 CEST4977480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:43.454531908 CEST8049773185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:43.454581022 CEST4977380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:43.454715967 CEST4977480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:43.459538937 CEST8049774185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:44.142744064 CEST8049774185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:44.142874956 CEST4977480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:44.262049913 CEST4977480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:44.262417078 CEST4977580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:44.267290115 CEST8049775185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:44.267405987 CEST4977580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:44.267528057 CEST8049774185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:44.267587900 CEST4977480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:44.267733097 CEST4977580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:44.272650003 CEST8049775185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:44.956456900 CEST8049775185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:44.956588030 CEST4977580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:45.074383020 CEST4977580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:45.074702024 CEST4977680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:45.079574108 CEST8049775185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:45.079591036 CEST8049776185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:45.079643011 CEST4977580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:45.079684973 CEST4977680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:45.079811096 CEST4977680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:45.084819078 CEST8049776185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:45.779958010 CEST8049776185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:45.780081987 CEST4977680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:45.891122103 CEST4977680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:45.896289110 CEST8049776185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:46.137034893 CEST8049776185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:46.137152910 CEST4977680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:46.262229919 CEST4977680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:46.262626886 CEST4977780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:46.267518044 CEST8049777185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:46.267644882 CEST4977780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:46.267657042 CEST8049776185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:46.267707109 CEST4977680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:46.267849922 CEST4977780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:46.272680044 CEST8049777185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:46.976002932 CEST8049777185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:46.976079941 CEST4977780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:47.091031075 CEST4977780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:47.091428995 CEST4977880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:47.096187115 CEST8049777185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:47.096282959 CEST8049778185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:47.096287012 CEST4977780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:47.096349955 CEST4977880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:47.096556902 CEST4977880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:47.101387024 CEST8049778185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:47.786688089 CEST8049778185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:47.786807060 CEST4977880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:47.902647018 CEST4977880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:47.903032064 CEST4977980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:47.908524036 CEST8049779185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:47.908592939 CEST4977980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:47.908698082 CEST4977980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:47.909559011 CEST8049778185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:47.909603119 CEST4977880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:47.914177895 CEST8049779185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:48.602076054 CEST8049779185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:48.602360964 CEST4977980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:48.719189882 CEST4977980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:48.719525099 CEST4978080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:48.724499941 CEST8049779185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:48.724558115 CEST4977980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:48.724644899 CEST8049780185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:48.724720001 CEST4978080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:48.725009918 CEST4978080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:48.729904890 CEST8049780185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:49.423892975 CEST8049780185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:49.423984051 CEST4978080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:49.543211937 CEST4978080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:49.543539047 CEST4978180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:49.548455000 CEST8049781185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:49.548557043 CEST4978180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:49.548690081 CEST4978180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:49.549101114 CEST8049780185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:49.549148083 CEST4978080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:49.553499937 CEST8049781185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:50.250526905 CEST8049781185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:50.250720024 CEST4978180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:50.371330023 CEST4978180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:50.372292995 CEST4978280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:50.377237082 CEST8049781185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:50.377377033 CEST4978180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:50.378057957 CEST8049782185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:50.378124952 CEST4978280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:50.378300905 CEST4978280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:50.383265972 CEST8049782185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:51.058876038 CEST8049782185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:51.058937073 CEST4978280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:51.184328079 CEST4978280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:51.184621096 CEST4978380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:51.189415932 CEST8049783185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:51.189529896 CEST4978380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:51.189632893 CEST4978380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:51.190063953 CEST8049782185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:51.190126896 CEST4978280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:51.194540977 CEST8049783185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:51.896584034 CEST8049783185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:51.896720886 CEST4978380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:52.012098074 CEST4978380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:52.012420893 CEST4978480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:52.017283916 CEST8049784185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:52.017462015 CEST4978480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:52.017874002 CEST4978480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:52.017918110 CEST8049783185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:52.018001080 CEST4978380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:52.022684097 CEST8049784185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:52.732636929 CEST8049784185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:52.732832909 CEST4978480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:52.840253115 CEST4978480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:52.845268011 CEST8049784185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:53.081896067 CEST8049784185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:53.082067013 CEST4978480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:53.199662924 CEST4978480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:53.200015068 CEST4978580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:53.205010891 CEST8049784185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:53.205099106 CEST4978480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:53.205262899 CEST8049785185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:53.205329895 CEST4978580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:53.205583096 CEST4978580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:53.210319042 CEST8049785185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:53.904262066 CEST8049785185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:53.904412985 CEST4978580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:54.043212891 CEST4978580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:54.043509960 CEST4978680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:54.048347950 CEST8049786185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:54.048446894 CEST4978680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:54.048460007 CEST8049785185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:54.048513889 CEST4978580192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:54.102309942 CEST4978680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:54.107311964 CEST8049786185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:54.736625910 CEST8049786185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:54.736886978 CEST4978680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:54.855566978 CEST4978680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:54.855854988 CEST4978780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:54.862083912 CEST8049786185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:54.862107038 CEST8049787185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:54.862138987 CEST4978680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:54.862183094 CEST4978780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:54.862349987 CEST4978780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:54.868272066 CEST8049787185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:55.567287922 CEST8049787185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:55.567626953 CEST4978780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:55.683871984 CEST4978780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:55.684735060 CEST4978880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:55.689287901 CEST8049787185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:55.689405918 CEST4978780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:55.689588070 CEST8049788185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:55.689701080 CEST4978880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:55.690098047 CEST4978880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:55.694951057 CEST8049788185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:56.374643087 CEST8049788185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:56.374783039 CEST4978880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:56.496320963 CEST4978880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:56.496665001 CEST4978980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:56.501722097 CEST8049788185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:56.501811981 CEST4978880192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:56.501900911 CEST8049789185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:56.501977921 CEST4978980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:56.502183914 CEST4978980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:56.507153034 CEST8049789185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:57.210350990 CEST8049789185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:57.210566044 CEST4978980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:57.339479923 CEST4978980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:57.339787960 CEST4979080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:57.344819069 CEST8049790185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:57.344877005 CEST8049789185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:57.344883919 CEST4979080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:57.345004082 CEST4978980192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:57.345225096 CEST4979080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:57.350006104 CEST8049790185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:58.050874949 CEST8049790185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:58.056379080 CEST4979080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:58.169977903 CEST4979080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:58.170449018 CEST4979180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:58.175333977 CEST8049791185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:58.175424099 CEST4979180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:58.175637007 CEST4979180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:58.175868988 CEST8049790185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:58.175923109 CEST4979080192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:58.180373907 CEST8049791185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:58.876276016 CEST8049791185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:58.878051043 CEST4979180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:59.001463890 CEST4979180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:59.001796961 CEST4979280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:59.006756067 CEST8049792185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:59.006773949 CEST8049791185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:59.006884098 CEST4979280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:59.006910086 CEST4979180192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:59.007006884 CEST4979280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:59.011925936 CEST8049792185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:59.691205978 CEST8049792185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:59.691284895 CEST4979280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:59.812228918 CEST4979280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:59.812726974 CEST4979380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:59.817521095 CEST8049792185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:59.817576885 CEST8049793185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:22:59.817579031 CEST4979280192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:59.817652941 CEST4979380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:59.817881107 CEST4979380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:22:59.822644949 CEST8049793185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:23:00.516565084 CEST8049793185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:23:00.518928051 CEST4979380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:01.219155073 CEST4979380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:01.219821930 CEST4979480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:01.224544048 CEST8049793185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:23:01.224597931 CEST4979380192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:01.224647999 CEST8049794185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:23:01.224700928 CEST4979480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:01.226358891 CEST4979480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:01.231302023 CEST8049794185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:23:01.937175989 CEST8049794185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:23:01.940820932 CEST4979480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:02.076221943 CEST4979480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:02.076813936 CEST4979680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:02.081788063 CEST8049796185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:23:02.081828117 CEST8049794185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:23:02.081960917 CEST4979680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:02.081963062 CEST4979480192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:02.082082987 CEST4979680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:02.087268114 CEST8049796185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:23:02.775309086 CEST8049796185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:23:02.775415897 CEST4979680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:02.905097008 CEST4979680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:02.905836105 CEST4979780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:02.910372972 CEST8049796185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:23:02.910424948 CEST4979680192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:02.910695076 CEST8049797185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:23:02.910751104 CEST4979780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:02.910984993 CEST4979780192.168.2.12185.208.158.248
                                                                                                            Oct 2, 2024 17:23:02.915731907 CEST8049797185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:23:03.621133089 CEST8049797185.208.158.248192.168.2.12
                                                                                                            Oct 2, 2024 17:23:03.621207952 CEST4979780192.168.2.12185.208.158.248

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Oct 2, 2024 17:21:53.784528971 CEST5844653192.168.2.12141.98.234.31
                                                                                                            Oct 2, 2024 17:21:54.034893036 CEST5358446141.98.234.31192.168.2.12

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Oct 2, 2024 17:21:53.784528971 CEST192.168.2.12141.98.234.310x2e6fStandard query (0)ejmbiem.uaA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Oct 2, 2024 17:21:54.034893036 CEST141.98.234.31192.168.2.120x2e6fNo error (0)ejmbiem.ua185.208.158.248A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • ejmbiem.ua

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.1249720185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:21:54.576849937 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:21:55.284823895 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:21:55 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.1249721185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:21:55.423938990 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:21:56.125294924 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:21:56 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.1249722185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:21:56.252859116 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:21:56.932799101 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:21:56 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Oct 2, 2024 17:21:57.043400049 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:21:57.285186052 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:21:57 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            3192.168.2.1249723185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:21:57.408431053 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:21:58.138324976 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:21:58 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            4192.168.2.1249724185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:21:58.267374039 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:21:58.944242954 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:21:58 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            5192.168.2.1249725185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:21:59.064527988 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:21:59.770565033 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:21:59 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            6192.168.2.1249726185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:21:59.893167973 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:00.604753971 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:00 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            7192.168.2.1249727185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:00.737040043 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:01.427088976 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:01 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            8192.168.2.1249728185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:01.549348116 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:02.481178999 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:02 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Oct 2, 2024 17:22:02.482280016 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:02 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Oct 2, 2024 17:22:02.590393066 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:02.831512928 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:02 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            9192.168.2.1249729185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:02.955251932 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:03.671544075 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:03 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            10192.168.2.1249730185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:03.817024946 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:04.526818037 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:04 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            11192.168.2.1249731185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:04.657951117 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:05.364103079 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:05 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            12192.168.2.1249732185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:05.486341953 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:06.204998970 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:06 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            13192.168.2.1249733185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:06.334799051 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:07.021503925 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:06 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            14192.168.2.1249734185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:07.150264025 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:07.871171951 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:07 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            15192.168.2.1249735185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:08.002016068 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:08.692656994 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:08 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            16192.168.2.1249736185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:08.816237926 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:09.507175922 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:09 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            17192.168.2.1249737185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:09.666454077 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:10.370194912 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:10 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Oct 2, 2024 17:22:10.489131927 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:10.728662014 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:10 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Oct 2, 2024 17:22:10.846329927 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:11.085577965 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:10 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            18192.168.2.1249738185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:11.214560986 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:11.922939062 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:11 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            19192.168.2.1249739185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:12.269401073 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:12.973983049 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:12 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            20192.168.2.1249740185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:13.097531080 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:13.781404972 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:13 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            21192.168.2.1249741185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:14.103898048 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:14.810699940 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:14 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            22192.168.2.1249743185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:14.939477921 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:15.654707909 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:15 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            23192.168.2.1249744185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:15.784713030 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:16.501817942 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:16 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            24192.168.2.1249745185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:16.627410889 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:17.466690063 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:17 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            25192.168.2.1249746185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:17.597507954 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:18.323046923 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:18 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Oct 2, 2024 17:22:18.434370995 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:18.673602104 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:18 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            26192.168.2.1249747185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:18.803656101 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:19.525067091 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:19 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            27192.168.2.1249748185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:19.665271044 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:20.384814978 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:20 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Oct 2, 2024 17:22:20.496782064 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:20.735647917 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:20 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            28192.168.2.1249749185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:20.878221989 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:21.565212965 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:21 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            29192.168.2.1249750185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:21.706581116 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:22.422032118 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:22 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            30192.168.2.1249751185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:22.549433947 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:23.255326033 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:23 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            31192.168.2.1249752185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:23.377302885 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:24.066184998 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:23 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            32192.168.2.1249753185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:24.418931007 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:25.108486891 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:25 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            33192.168.2.1249754185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:25.239288092 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:25.963884115 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:25 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Oct 2, 2024 17:22:26.075743914 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:26.322350025 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:26 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Oct 2, 2024 17:22:26.434293985 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:26.675345898 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:26 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            34192.168.2.1249755185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:26.799102068 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:27.557333946 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:27 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            35192.168.2.1249756185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:27.705885887 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:28.406485081 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:28 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            36192.168.2.1249757185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:28.533102036 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:29.259200096 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:29 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            37192.168.2.1249758185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:29.397397995 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:30.080368042 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:29 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            38192.168.2.1249759185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:30.206825018 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:30.924400091 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:30 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            39192.168.2.1249760185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:31.048306942 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:31.736641884 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:31 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            40192.168.2.1249761185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:31.861268044 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:32.587048054 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:32 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            41192.168.2.1249762185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:32.704973936 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:33.407902002 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:33 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            42192.168.2.1249763185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:33.539963007 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:34.237572908 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:34 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            43192.168.2.1249764185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:34.361625910 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:35.061338902 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:34 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Oct 2, 2024 17:22:35.168113947 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:35.412843943 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:35 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            44192.168.2.1249765185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:35.532995939 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:36.269864082 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:36 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            45192.168.2.1249766185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:36.398720026 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:37.079106092 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:36 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            46192.168.2.1249767185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:37.205013990 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:37.891074896 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:37 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            47192.168.2.1249768185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:38.017165899 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:38.711765051 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:38 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            48192.168.2.1249769185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:38.831613064 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:39.520319939 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:39 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            49192.168.2.1249770185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:39.642401934 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:40.347470045 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:40 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            50192.168.2.1249771185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:40.475563049 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:41.165951967 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:41 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Oct 2, 2024 17:22:41.280288935 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:41.517831087 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:41 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            51192.168.2.1249772185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:41.642621040 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:42.477447987 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:42 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            52192.168.2.1249773185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:42.641388893 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:43.334400892 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:43 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            53192.168.2.1249774185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:43.454715967 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:44.142744064 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:44 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            54192.168.2.1249775185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:44.267733097 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:44.956456900 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:44 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            55192.168.2.1249776185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:45.079811096 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:45.779958010 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:45 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Oct 2, 2024 17:22:45.891122103 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:46.137034893 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:46 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            56192.168.2.1249777185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:46.267849922 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:46.976002932 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:46 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            57192.168.2.1249778185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:47.096556902 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:47.786688089 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:47 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            58192.168.2.1249779185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:47.908698082 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:48.602076054 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:48 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            59192.168.2.1249780185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:48.725009918 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:49.423892975 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:49 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            60192.168.2.1249781185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:49.548690081 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:50.250526905 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:50 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            61192.168.2.1249782185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:50.378300905 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:51.058876038 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:50 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            62192.168.2.1249783185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:51.189632893 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:51.896584034 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:51 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            63192.168.2.1249784185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:52.017874002 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:52.732636929 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:52 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Oct 2, 2024 17:22:52.840253115 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:53.081896067 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:52 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            64192.168.2.1249785185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:53.205583096 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:53.904262066 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:53 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            65192.168.2.1249786185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:54.102309942 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:54.736625910 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:54 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            66192.168.2.1249787185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:54.862349987 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:55.567287922 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:55 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            67192.168.2.1249788185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:55.690098047 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:56.374643087 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:56 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            68192.168.2.1249789185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:56.502183914 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:57.210350990 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:57 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            69192.168.2.1249790185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:57.345225096 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:58.050874949 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:57 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            70192.168.2.1249791185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:58.175637007 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:58.876276016 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:58 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            71192.168.2.1249792185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:59.007006884 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:22:59.691205978 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:22:59 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            72192.168.2.1249793185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:22:59.817881107 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:23:00.516565084 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:23:00 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            73192.168.2.1249794185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:23:01.226358891 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:23:01.937175989 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:23:01 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            74192.168.2.1249796185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:23:02.082082987 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:23:02.775309086 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:23:02 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            75192.168.2.1249797185.208.158.248806700C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Oct 2, 2024 17:23:02.910984993 CEST313OUTGET /search/?q=67e28dd86b0ff029130ffd4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c446db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396086f713c5ed94 HTTP/1.1
                                                                                                            Host: ejmbiem.ua
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Oct 2, 2024 17:23:03.621133089 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Wed, 02 Oct 2024 15:23:03 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:11:20:56
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Users\user\Desktop\noode.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\noode.exe"
                                                                                                            Imagebase:0x400000
                                                                                                            File size:8'037'905 bytes
                                                                                                            MD5 hash:8D369C7A83BEA4727AB814C6E09EA24E
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:low
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:1
                                                                                                            Start time:11:20:57
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-LM01C.tmp\noode.tmp" /SL5="$103E8,7753864,54272,C:\Users\user\Desktop\noode.exe"
                                                                                                            Imagebase:0x400000
                                                                                                            File size:709'120 bytes
                                                                                                            MD5 hash:16C9D19AB32C18671706CEFEE19B6949
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:low
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:3
                                                                                                            Start time:11:21:00
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32.exe" -i
                                                                                                            Imagebase:0x400000
                                                                                                            File size:3'022'336 bytes
                                                                                                            MD5 hash:C84C1723350D751DF4CA78CC230B5EA7
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.3607247609.0000000002C3C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:5
                                                                                                            Start time:11:21:10
                                                                                                            Start date:02/10/2024
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                            Imagebase:0x7ff7d3e90000
                                                                                                            File size:55'320 bytes
                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:21.2%
                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                              Signature Coverage:2.4%
                                                                                                              Total number of Nodes:1498
                                                                                                              Total number of Limit Nodes:22
                                                                                                              execution_graph 4979 409c40 5020 4030dc 4979->5020 4981 409c56 5023 4042e8 4981->5023 4983 409c5b 5026 40457c GetModuleHandleA GetProcAddress 4983->5026 4989 409c6a 5043 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 4989->5043 5006 409d43 5105 4074a0 5006->5105 5008 409d05 5008->5006 5138 409aa0 5008->5138 5009 409d84 5109 407a28 5009->5109 5010 409d69 5010->5009 5011 409aa0 4 API calls 5010->5011 5011->5009 5013 409da9 5119 408b08 5013->5119 5017 409def 5018 408b08 21 API calls 5017->5018 5019 409e28 5017->5019 5018->5017 5148 403094 5020->5148 5022 4030e1 GetModuleHandleA GetCommandLineA 5022->4981 5025 404323 5023->5025 5149 403154 5023->5149 5025->4983 5027 404598 5026->5027 5028 40459f GetProcAddress 5026->5028 5027->5028 5029 4045b5 GetProcAddress 5028->5029 5030 4045ae 5028->5030 5031 4045c4 SetProcessDEPPolicy 5029->5031 5032 4045c8 5029->5032 5030->5029 5031->5032 5033 4065b8 5032->5033 5162 405c98 5033->5162 5042 406604 6F981CD0 5042->4989 5044 4090f7 5043->5044 5289 406fa0 SetErrorMode 5044->5289 5049 403198 4 API calls 5050 40913c 5049->5050 5051 409b30 GetSystemInfo VirtualQuery 5050->5051 5052 409be4 5051->5052 5053 409b5a 5051->5053 5057 409768 5052->5057 5053->5052 5054 409bc5 VirtualQuery 5053->5054 5055 409b84 VirtualProtect 5053->5055 5056 409bb3 VirtualProtect 5053->5056 5054->5052 5054->5053 5055->5053 5056->5054 5299 406bd0 GetCommandLineA 5057->5299 5059 409825 5061 4031b8 4 API calls 5059->5061 5060 406c2c 6 API calls 5063 409785 5060->5063 5062 40983f 5061->5062 5065 406c2c 5062->5065 5063->5059 5063->5060 5064 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5063->5064 5064->5063 5066 406c53 GetModuleFileNameA 5065->5066 5067 406c77 GetCommandLineA 5065->5067 5068 403278 4 API calls 5066->5068 5069 406c7c 5067->5069 5070 406c75 5068->5070 5071 406c81 5069->5071 5072 406af0 4 API calls 5069->5072 5075 406c89 5069->5075 5073 406ca4 5070->5073 5074 403198 4 API calls 5071->5074 5072->5069 5076 403198 4 API calls 5073->5076 5074->5075 5077 40322c 4 API calls 5075->5077 5078 406cb9 5076->5078 5077->5073 5079 4031e8 5078->5079 5080 4031ec 5079->5080 5083 4031fc 5079->5083 5082 403254 4 API calls 5080->5082 5080->5083 5081 403228 5085 4074e0 5081->5085 5082->5083 5083->5081 5084 4025ac 4 API calls 5083->5084 5084->5081 5086 4074ea 5085->5086 5320 407576 5086->5320 5323 407578 5086->5323 5087 407516 5088 40752a 5087->5088 5326 40748c GetLastError 5087->5326 5092 409bec FindResourceA 5088->5092 5093 409c01 5092->5093 5094 409c06 SizeofResource 5092->5094 5097 409aa0 4 API calls 5093->5097 5095 409c13 5094->5095 5096 409c18 LoadResource 5094->5096 5098 409aa0 4 API calls 5095->5098 5099 409c26 5096->5099 5100 409c2b LockResource 5096->5100 5097->5094 5098->5096 5101 409aa0 4 API calls 5099->5101 5102 409c37 5100->5102 5103 409c3c 5100->5103 5101->5100 5104 409aa0 4 API calls 5102->5104 5103->5008 5135 407918 5103->5135 5104->5103 5106 4074b4 5105->5106 5107 4074c4 5106->5107 5108 4073ec 20 API calls 5106->5108 5107->5010 5108->5107 5110 407a35 5109->5110 5111 405880 4 API calls 5110->5111 5112 407a89 5110->5112 5111->5112 5113 407918 InterlockedExchange 5112->5113 5114 407a9b 5113->5114 5115 405880 4 API calls 5114->5115 5116 407ab1 5114->5116 5115->5116 5117 405880 4 API calls 5116->5117 5118 407af4 5116->5118 5117->5118 5118->5013 5128 408b82 5119->5128 5134 408b39 5119->5134 5120 408bcd 5434 407cb8 5120->5434 5121 407cb8 21 API calls 5121->5134 5122 407cb8 21 API calls 5122->5128 5125 408be4 5127 4031b8 4 API calls 5125->5127 5126 4034f0 4 API calls 5126->5128 5129 408bfe 5127->5129 5128->5120 5128->5122 5128->5126 5132 403420 4 API calls 5128->5132 5133 4031e8 4 API calls 5128->5133 5145 404c10 5129->5145 5130 403420 4 API calls 5130->5134 5131 4031e8 4 API calls 5131->5134 5132->5128 5133->5128 5134->5121 5134->5128 5134->5130 5134->5131 5425 4034f0 5134->5425 5460 4078c4 5135->5460 5139 409ac1 5138->5139 5140 409aa9 5138->5140 5142 405880 4 API calls 5139->5142 5141 405880 4 API calls 5140->5141 5144 409abb 5141->5144 5143 409ad2 5142->5143 5143->5006 5144->5006 5146 402594 4 API calls 5145->5146 5147 404c1b 5146->5147 5147->5017 5148->5022 5150 403164 5149->5150 5151 40318c TlsGetValue 5149->5151 5150->5025 5152 403196 5151->5152 5153 40316f 5151->5153 5152->5025 5157 40310c 5153->5157 5155 403174 TlsGetValue 5156 403184 5155->5156 5156->5025 5158 403120 LocalAlloc 5157->5158 5159 403116 5157->5159 5160 40313e TlsSetValue 5158->5160 5161 403132 5158->5161 5159->5158 5160->5161 5161->5155 5234 405930 5162->5234 5165 405270 GetSystemDefaultLCID 5167 4052a6 5165->5167 5166 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5166->5167 5167->5166 5168 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5167->5168 5169 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5167->5169 5172 405308 5167->5172 5168->5167 5169->5167 5170 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5170->5172 5171 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5171->5172 5172->5170 5172->5171 5173 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5172->5173 5174 40538b 5172->5174 5173->5172 5267 4031b8 5174->5267 5177 4053b4 GetSystemDefaultLCID 5271 4051fc GetLocaleInfoA 5177->5271 5180 4031e8 4 API calls 5181 4053f4 5180->5181 5182 4051fc 5 API calls 5181->5182 5183 405409 5182->5183 5184 4051fc 5 API calls 5183->5184 5185 40542d 5184->5185 5277 405248 GetLocaleInfoA 5185->5277 5188 405248 GetLocaleInfoA 5189 40545d 5188->5189 5190 4051fc 5 API calls 5189->5190 5191 405477 5190->5191 5192 405248 GetLocaleInfoA 5191->5192 5193 405494 5192->5193 5194 4051fc 5 API calls 5193->5194 5195 4054ae 5194->5195 5196 4031e8 4 API calls 5195->5196 5197 4054bb 5196->5197 5198 4051fc 5 API calls 5197->5198 5199 4054d0 5198->5199 5200 4031e8 4 API calls 5199->5200 5201 4054dd 5200->5201 5202 405248 GetLocaleInfoA 5201->5202 5203 4054eb 5202->5203 5204 4051fc 5 API calls 5203->5204 5205 405505 5204->5205 5206 4031e8 4 API calls 5205->5206 5207 405512 5206->5207 5208 4051fc 5 API calls 5207->5208 5209 405527 5208->5209 5210 4031e8 4 API calls 5209->5210 5211 405534 5210->5211 5212 4051fc 5 API calls 5211->5212 5213 405549 5212->5213 5214 405566 5213->5214 5215 405557 5213->5215 5217 40322c 4 API calls 5214->5217 5285 40322c 5215->5285 5218 405564 5217->5218 5219 4051fc 5 API calls 5218->5219 5220 405588 5219->5220 5221 4055a5 5220->5221 5222 405596 5220->5222 5224 403198 4 API calls 5221->5224 5223 40322c 4 API calls 5222->5223 5225 4055a3 5223->5225 5224->5225 5279 4033b4 5225->5279 5227 4055c7 5228 4033b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5227->5228 5229 4055e1 5228->5229 5230 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5229->5230 5231 4055fb 5230->5231 5232 405ce4 GetVersionExA 5231->5232 5233 405cfb 5232->5233 5233->5042 5235 40593c 5234->5235 5242 404ccc LoadStringA 5235->5242 5238 4031e8 4 API calls 5239 40596d 5238->5239 5245 403198 5239->5245 5249 403278 5242->5249 5246 4031b7 5245->5246 5247 40319e 5245->5247 5246->5165 5247->5246 5263 4025ac 5247->5263 5254 403254 5249->5254 5251 403288 5252 403198 4 API calls 5251->5252 5253 4032a0 5252->5253 5253->5238 5255 403274 5254->5255 5256 403258 5254->5256 5255->5251 5259 402594 5256->5259 5258 403261 5258->5251 5260 402598 5259->5260 5261 4025a2 5259->5261 5260->5261 5262 403154 4 API calls 5260->5262 5261->5258 5261->5261 5262->5261 5264 4025b0 5263->5264 5266 4025ba 5263->5266 5265 403154 4 API calls 5264->5265 5264->5266 5265->5266 5266->5246 5269 4031be 5267->5269 5268 4031e3 5268->5177 5269->5268 5270 4025ac 4 API calls 5269->5270 5270->5269 5272 405223 5271->5272 5273 405235 5271->5273 5274 403278 4 API calls 5272->5274 5275 40322c 4 API calls 5273->5275 5276 405233 5274->5276 5275->5276 5276->5180 5278 405264 5277->5278 5278->5188 5280 4033bc 5279->5280 5281 403254 4 API calls 5280->5281 5282 4033cf 5281->5282 5283 4031e8 4 API calls 5282->5283 5284 4033f7 5283->5284 5287 403230 5285->5287 5286 403252 5286->5218 5287->5286 5288 4025ac 4 API calls 5287->5288 5288->5286 5297 403414 5289->5297 5292 406fee 5293 407284 FormatMessageA 5292->5293 5294 4072aa 5293->5294 5295 403278 4 API calls 5294->5295 5296 4072c7 5295->5296 5296->5049 5298 403418 LoadLibraryA 5297->5298 5298->5292 5306 406af0 5299->5306 5301 406bf3 5302 406c05 5301->5302 5303 406af0 4 API calls 5301->5303 5304 403198 4 API calls 5302->5304 5303->5301 5305 406c1a 5304->5305 5305->5063 5307 406b1c 5306->5307 5308 403278 4 API calls 5307->5308 5309 406b29 5308->5309 5316 403420 5309->5316 5311 406b31 5312 4031e8 4 API calls 5311->5312 5313 406b49 5312->5313 5314 403198 4 API calls 5313->5314 5315 406b6b 5314->5315 5315->5301 5317 403426 5316->5317 5319 403437 5316->5319 5318 403254 4 API calls 5317->5318 5317->5319 5318->5319 5319->5311 5321 407578 5320->5321 5322 4075b7 CreateFileA 5321->5322 5322->5087 5324 403414 5323->5324 5325 4075b7 CreateFileA 5324->5325 5325->5087 5329 4073ec 5326->5329 5330 407284 5 API calls 5329->5330 5332 407414 5330->5332 5331 407434 5341 405880 5331->5341 5332->5331 5338 405184 5332->5338 5335 407443 5336 403198 4 API calls 5335->5336 5337 407460 5336->5337 5337->5088 5345 405198 5338->5345 5342 405887 5341->5342 5343 4031e8 4 API calls 5342->5343 5344 40589f 5343->5344 5344->5335 5346 4051b5 5345->5346 5353 404e48 5346->5353 5349 4051e1 5351 403278 4 API calls 5349->5351 5352 405193 5351->5352 5352->5331 5356 404e63 5353->5356 5354 404e75 5354->5349 5358 404bd4 5354->5358 5356->5354 5361 404f6a 5356->5361 5368 404e3c 5356->5368 5359 405930 5 API calls 5358->5359 5360 404be5 5359->5360 5360->5349 5362 404f7b 5361->5362 5366 404fc9 5361->5366 5364 40504f 5362->5364 5362->5366 5367 404fe7 5364->5367 5375 404e28 5364->5375 5366->5367 5371 404de4 5366->5371 5367->5356 5369 403198 4 API calls 5368->5369 5370 404e46 5369->5370 5370->5356 5372 404df2 5371->5372 5378 404bec 5372->5378 5374 404e20 5374->5366 5391 4039a4 5375->5391 5381 4059a0 5378->5381 5380 404c05 5380->5374 5382 4059ae 5381->5382 5383 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5382->5383 5384 4059d8 5383->5384 5385 405184 19 API calls 5384->5385 5386 4059e6 5385->5386 5387 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5386->5387 5388 4059f1 5387->5388 5389 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5388->5389 5390 405a0b 5389->5390 5390->5380 5392 4039ab 5391->5392 5397 4038b4 5392->5397 5394 4039cb 5395 403198 4 API calls 5394->5395 5396 4039d2 5395->5396 5396->5367 5398 4038d5 5397->5398 5399 4038c8 5397->5399 5401 403934 5398->5401 5402 4038db 5398->5402 5400 403780 6 API calls 5399->5400 5405 4038d0 5400->5405 5403 403993 5401->5403 5404 40393b 5401->5404 5406 4038e1 5402->5406 5407 4038ee 5402->5407 5408 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5403->5408 5409 403941 5404->5409 5410 40394b 5404->5410 5405->5394 5411 403894 6 API calls 5406->5411 5412 403894 6 API calls 5407->5412 5408->5405 5413 403864 9 API calls 5409->5413 5414 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5410->5414 5411->5405 5415 4038fc 5412->5415 5413->5405 5416 40395d 5414->5416 5417 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5415->5417 5419 403864 9 API calls 5416->5419 5418 403917 5417->5418 5421 40374c VariantClear 5418->5421 5420 403976 5419->5420 5423 40374c VariantClear 5420->5423 5422 40392c 5421->5422 5422->5394 5424 40398b 5423->5424 5424->5394 5426 4034fd 5425->5426 5432 40352d 5425->5432 5428 403526 5426->5428 5430 403509 5426->5430 5427 403198 4 API calls 5433 403517 5427->5433 5429 403254 4 API calls 5428->5429 5429->5432 5440 4025c4 5430->5440 5432->5427 5433->5134 5435 407cd3 5434->5435 5439 407cc8 5434->5439 5444 407c5c 5435->5444 5438 405880 4 API calls 5438->5439 5439->5125 5441 4025ca 5440->5441 5442 4025dc 5441->5442 5443 403154 4 API calls 5441->5443 5442->5433 5442->5442 5443->5442 5445 407c70 5444->5445 5446 407caf 5444->5446 5445->5446 5448 407bac 5445->5448 5446->5438 5446->5439 5449 407bb7 5448->5449 5452 407bc8 5448->5452 5450 405880 4 API calls 5449->5450 5450->5452 5451 4074a0 20 API calls 5453 407bdc 5451->5453 5452->5451 5454 4074a0 20 API calls 5453->5454 5455 407bfd 5454->5455 5456 407918 InterlockedExchange 5455->5456 5457 407c12 5456->5457 5458 407c28 5457->5458 5459 405880 4 API calls 5457->5459 5458->5445 5459->5458 5461 4078d6 5460->5461 5462 4078e7 5460->5462 5463 4078db InterlockedExchange 5461->5463 5462->5008 5463->5462 6236 409e47 6237 409e6c 6236->6237 6238 4098f4 15 API calls 6237->6238 6242 409e71 6238->6242 6239 409ec4 6270 4026c4 GetSystemTime 6239->6270 6241 409ec9 6243 409330 32 API calls 6241->6243 6242->6239 6245 408dd8 4 API calls 6242->6245 6244 409ed1 6243->6244 6246 4031e8 4 API calls 6244->6246 6247 409ea0 6245->6247 6248 409ede 6246->6248 6249 409ea8 MessageBoxA 6247->6249 6250 406928 5 API calls 6248->6250 6249->6239 6251 409eb5 6249->6251 6252 409eeb 6250->6252 6253 405854 5 API calls 6251->6253 6254 4066c0 5 API calls 6252->6254 6253->6239 6255 409efb 6254->6255 6256 406638 5 API calls 6255->6256 6257 409f0c 6256->6257 6258 403340 4 API calls 6257->6258 6259 409f1a 6258->6259 6260 4031e8 4 API calls 6259->6260 6261 409f2a 6260->6261 6262 4074e0 23 API calls 6261->6262 6263 409f69 6262->6263 6264 402594 4 API calls 6263->6264 6265 409f89 6264->6265 6266 407a28 5 API calls 6265->6266 6267 409fcb 6266->6267 6268 407cb8 21 API calls 6267->6268 6269 409ff2 6268->6269 6270->6241 6197 407548 6198 407554 CloseHandle 6197->6198 6199 40755d 6197->6199 6198->6199 6649 402b48 RaiseException 6200 407749 6201 4076dc WriteFile 6200->6201 6210 407724 6200->6210 6202 4076e8 6201->6202 6203 4076ef 6201->6203 6204 40748c 21 API calls 6202->6204 6205 407700 6203->6205 6206 4073ec 20 API calls 6203->6206 6204->6203 6206->6205 6207 4077e0 6208 4078db InterlockedExchange 6207->6208 6209 407890 6207->6209 6211 4078e7 6208->6211 6210->6200 6210->6207 6650 40294a 6651 402952 6650->6651 6652 402967 6651->6652 6653 403554 4 API calls 6651->6653 6653->6651 6654 403f4a 6655 403f53 6654->6655 6656 403f5c 6654->6656 6658 403f07 6655->6658 6661 403f09 6658->6661 6659 403f3c 6659->6656 6663 403154 4 API calls 6661->6663 6665 403e9c 6661->6665 6669 403f3d 6661->6669 6681 403e9c 6661->6681 6662 403ecf 6662->6656 6663->6661 6664 403ef2 6666 402674 4 API calls 6664->6666 6665->6659 6665->6664 6670 403ea9 6665->6670 6672 403e8e 6665->6672 6666->6662 6669->6656 6670->6662 6671 402674 4 API calls 6670->6671 6671->6662 6673 403e4c 6672->6673 6674 403e67 6673->6674 6675 403e62 6673->6675 6676 403e7b 6673->6676 6679 403e78 6674->6679 6680 402674 4 API calls 6674->6680 6677 403cc8 4 API calls 6675->6677 6678 402674 4 API calls 6676->6678 6677->6674 6678->6679 6679->6664 6679->6670 6680->6679 6682 403ed7 6681->6682 6688 403ea9 6681->6688 6684 403ef2 6682->6684 6686 403e8e 4 API calls 6682->6686 6683 403ecf 6683->6661 6685 402674 4 API calls 6684->6685 6685->6683 6687 403ee6 6686->6687 6687->6684 6687->6688 6688->6683 6689 402674 4 API calls 6688->6689 6689->6683 6698 405150 6699 405163 6698->6699 6700 404e48 19 API calls 6699->6700 6701 405177 6700->6701 6271 403a52 6272 403a74 6271->6272 6273 403a5a WriteFile 6271->6273 6273->6272 6274 403a78 GetLastError 6273->6274 6274->6272 6275 402654 6276 403154 4 API calls 6275->6276 6277 402614 6276->6277 6278 402632 6277->6278 6279 403154 4 API calls 6277->6279 6278->6278 6279->6278 5646 409e62 5647 409aa0 4 API calls 5646->5647 5648 409e67 5647->5648 5649 409e6c 5648->5649 5749 402f24 5648->5749 5683 4098f4 5649->5683 5652 409ec4 5688 4026c4 GetSystemTime 5652->5688 5654 409e71 5654->5652 5754 408dd8 5654->5754 5655 409ec9 5689 409330 5655->5689 5659 4031e8 4 API calls 5661 409ede 5659->5661 5660 409ea0 5662 409ea8 MessageBoxA 5660->5662 5707 406928 5661->5707 5662->5652 5664 409eb5 5662->5664 5757 405854 5664->5757 5670 409f0c 5734 403340 5670->5734 5672 409f1a 5673 4031e8 4 API calls 5672->5673 5674 409f2a 5673->5674 5675 4074e0 23 API calls 5674->5675 5676 409f69 5675->5676 5677 402594 4 API calls 5676->5677 5678 409f89 5677->5678 5679 407a28 5 API calls 5678->5679 5680 409fcb 5679->5680 5681 407cb8 21 API calls 5680->5681 5682 409ff2 5681->5682 5761 40953c 5683->5761 5688->5655 5698 409350 5689->5698 5692 409375 CreateDirectoryA 5693 4093ed 5692->5693 5694 40937f GetLastError 5692->5694 5695 40322c 4 API calls 5693->5695 5694->5698 5696 4093f7 5695->5696 5699 4031b8 4 API calls 5696->5699 5697 408dd8 4 API calls 5697->5698 5698->5692 5698->5697 5703 407284 5 API calls 5698->5703 5706 405880 4 API calls 5698->5706 5853 406cf4 5698->5853 5876 409224 5698->5876 5895 404c84 5698->5895 5898 408da8 5698->5898 5701 409411 5699->5701 5702 4031b8 4 API calls 5701->5702 5704 40941e 5702->5704 5703->5698 5704->5659 5706->5698 6008 406820 5707->6008 5710 403454 4 API calls 5711 40694a 5710->5711 5712 4066c0 5711->5712 6013 4068e4 5712->6013 5715 4066f0 5718 403340 4 API calls 5715->5718 5716 4066fe 5717 403454 4 API calls 5716->5717 5720 406711 5717->5720 5719 4066fc 5718->5719 5722 403198 4 API calls 5719->5722 5721 403340 4 API calls 5720->5721 5721->5719 5723 406733 5722->5723 5724 406638 5723->5724 5725 406642 5724->5725 5726 406665 5724->5726 6019 406950 5725->6019 5728 40322c 4 API calls 5726->5728 5730 40666e 5728->5730 5729 406649 5729->5726 5731 406654 5729->5731 5730->5670 5732 403340 4 API calls 5731->5732 5733 406662 5732->5733 5733->5670 5735 403344 5734->5735 5736 4033a5 5734->5736 5737 4031e8 5735->5737 5738 40334c 5735->5738 5739 4031fc 5737->5739 5742 403254 4 API calls 5737->5742 5738->5736 5740 40335b 5738->5740 5743 4031e8 4 API calls 5738->5743 5741 403228 5739->5741 5745 4025ac 4 API calls 5739->5745 5744 403254 4 API calls 5740->5744 5741->5672 5742->5739 5743->5740 5746 403375 5744->5746 5745->5741 5747 4031e8 4 API calls 5746->5747 5748 4033a1 5747->5748 5748->5672 5750 403154 4 API calls 5749->5750 5751 402f29 5750->5751 6025 402bcc 5751->6025 5753 402f51 5753->5753 5755 408da8 4 API calls 5754->5755 5756 408df4 5755->5756 5756->5660 5758 405859 5757->5758 5759 405930 5 API calls 5758->5759 5760 40586b 5759->5760 5760->5760 5768 40955b 5761->5768 5762 409590 5765 40959d GetUserDefaultLangID 5762->5765 5769 409592 5762->5769 5763 409594 5779 407024 GetModuleHandleA GetProcAddress 5763->5779 5765->5769 5767 40956f 5773 409884 5767->5773 5768->5762 5768->5763 5768->5767 5769->5767 5770 4095cb GetACP 5769->5770 5771 4095ef 5769->5771 5770->5767 5770->5769 5771->5767 5772 409615 GetACP 5771->5772 5772->5767 5772->5771 5774 40988c 5773->5774 5778 4098c6 5773->5778 5775 403420 4 API calls 5774->5775 5774->5778 5776 4098c0 5775->5776 5837 408e80 5776->5837 5778->5654 5780 407067 5779->5780 5781 40705e 5779->5781 5782 407070 5780->5782 5783 4070a8 5780->5783 5792 403198 4 API calls 5781->5792 5800 406f68 5782->5800 5785 406f68 RegOpenKeyExA 5783->5785 5787 4070c1 5785->5787 5786 407089 5788 4070de 5786->5788 5803 406f5c 5786->5803 5787->5788 5789 406f5c 6 API calls 5787->5789 5790 40322c 4 API calls 5788->5790 5793 4070d5 RegCloseKey 5789->5793 5794 4070eb 5790->5794 5796 407120 5792->5796 5793->5788 5806 4032fc 5794->5806 5798 403198 4 API calls 5796->5798 5799 407128 5798->5799 5799->5769 5801 406f73 5800->5801 5802 406f79 RegOpenKeyExA 5800->5802 5801->5802 5802->5786 5820 406e10 5803->5820 5807 403300 5806->5807 5808 40333f 5806->5808 5809 4031e8 5807->5809 5810 40330a 5807->5810 5808->5781 5813 4031fc 5809->5813 5817 403254 4 API calls 5809->5817 5811 403334 5810->5811 5812 40331d 5810->5812 5816 4034f0 4 API calls 5811->5816 5814 4034f0 4 API calls 5812->5814 5815 403228 5813->5815 5819 4025ac 4 API calls 5813->5819 5818 403322 5814->5818 5815->5781 5816->5818 5817->5813 5818->5781 5819->5815 5821 406e36 RegQueryValueExA 5820->5821 5822 406e59 5821->5822 5827 406e7b 5821->5827 5823 406e73 5822->5823 5822->5827 5828 403278 4 API calls 5822->5828 5829 403420 4 API calls 5822->5829 5825 403198 4 API calls 5823->5825 5824 403198 4 API calls 5826 406f47 RegCloseKey 5824->5826 5825->5827 5826->5788 5827->5824 5828->5822 5830 406eb0 RegQueryValueExA 5829->5830 5830->5821 5831 406ecc 5830->5831 5831->5827 5832 4034f0 4 API calls 5831->5832 5833 406f0e 5832->5833 5834 406f20 5833->5834 5836 403420 4 API calls 5833->5836 5835 4031e8 4 API calls 5834->5835 5835->5827 5836->5834 5838 408e8e 5837->5838 5840 408ea6 5838->5840 5850 408e18 5838->5850 5841 408e18 4 API calls 5840->5841 5842 408eca 5840->5842 5841->5842 5843 407918 InterlockedExchange 5842->5843 5844 408ee5 5843->5844 5845 408e18 4 API calls 5844->5845 5847 408ef8 5844->5847 5845->5847 5846 408e18 4 API calls 5846->5847 5847->5846 5848 403278 4 API calls 5847->5848 5849 408f27 5847->5849 5848->5847 5849->5778 5851 405880 4 API calls 5850->5851 5852 408e29 5851->5852 5852->5840 5902 406a58 5853->5902 5856 406d26 5858 406a58 5 API calls 5856->5858 5860 406d72 5856->5860 5859 406d36 5858->5859 5861 406d42 5859->5861 5863 406a34 7 API calls 5859->5863 5910 406888 5860->5910 5861->5860 5866 406a58 5 API calls 5861->5866 5872 406d67 5861->5872 5863->5861 5868 406d5b 5866->5868 5867 406638 5 API calls 5869 406d87 5867->5869 5870 406a34 7 API calls 5868->5870 5868->5872 5871 40322c 4 API calls 5869->5871 5870->5872 5873 406d91 5871->5873 5872->5860 5922 406cc8 GetWindowsDirectoryA 5872->5922 5874 4031b8 4 API calls 5873->5874 5875 406dab 5874->5875 5875->5698 5877 409244 5876->5877 5878 406638 5 API calls 5877->5878 5879 40925d 5878->5879 5880 40322c 4 API calls 5879->5880 5887 409268 5880->5887 5882 406978 6 API calls 5882->5887 5883 4033b4 4 API calls 5883->5887 5884 408dd8 4 API calls 5884->5887 5885 405880 4 API calls 5885->5887 5887->5882 5887->5883 5887->5884 5887->5885 5888 4092e4 5887->5888 5962 4091b0 5887->5962 5970 409034 5887->5970 5889 40322c 4 API calls 5888->5889 5890 4092ef 5889->5890 5891 4031b8 4 API calls 5890->5891 5892 409309 5891->5892 5893 403198 4 API calls 5892->5893 5894 409311 5893->5894 5894->5698 5896 405198 19 API calls 5895->5896 5897 404ca2 5896->5897 5897->5698 5899 408dc8 5898->5899 5998 408c80 5899->5998 5903 4034f0 4 API calls 5902->5903 5904 406a6b 5903->5904 5905 406a82 GetEnvironmentVariableA 5904->5905 5909 406a95 5904->5909 5924 406dec 5904->5924 5905->5904 5906 406a8e 5905->5906 5907 403198 4 API calls 5906->5907 5907->5909 5909->5856 5919 406a34 5909->5919 5911 403414 5910->5911 5912 4068ab GetFullPathNameA 5911->5912 5913 4068b7 5912->5913 5914 4068ce 5912->5914 5913->5914 5915 4068bf 5913->5915 5916 40322c 4 API calls 5914->5916 5917 403278 4 API calls 5915->5917 5918 4068cc 5916->5918 5917->5918 5918->5867 5928 4069dc 5919->5928 5923 406ce9 5922->5923 5923->5860 5925 406dfa 5924->5925 5926 4034f0 4 API calls 5925->5926 5927 406e08 5926->5927 5927->5904 5935 406978 5928->5935 5930 4069fe 5931 406a06 GetFileAttributesA 5930->5931 5932 406a1b 5931->5932 5933 403198 4 API calls 5932->5933 5934 406a23 5933->5934 5934->5856 5945 406744 5935->5945 5937 4069b0 5940 4069c6 5937->5940 5941 4069bb 5937->5941 5939 406989 5939->5937 5952 406970 CharPrevA 5939->5952 5953 403454 5940->5953 5942 40322c 4 API calls 5941->5942 5944 4069c4 5942->5944 5944->5930 5948 406755 5945->5948 5946 4067b9 5947 406680 IsDBCSLeadByte 5946->5947 5949 4067b4 5946->5949 5947->5949 5948->5946 5950 406773 5948->5950 5949->5939 5950->5949 5960 406680 IsDBCSLeadByte 5950->5960 5952->5939 5954 403486 5953->5954 5955 403459 5953->5955 5956 403198 4 API calls 5954->5956 5955->5954 5958 40346d 5955->5958 5957 40347c 5956->5957 5957->5944 5959 403278 4 API calls 5958->5959 5959->5957 5961 406694 5960->5961 5961->5950 5963 403198 4 API calls 5962->5963 5966 4091d1 5963->5966 5967 4091fe 5966->5967 5979 4032a8 5966->5979 5982 403494 5966->5982 5968 403198 4 API calls 5967->5968 5969 409213 5968->5969 5969->5887 5986 408f70 5970->5986 5972 40904a 5973 40904e 5972->5973 5992 406a48 5972->5992 5973->5887 5976 409081 5995 408fac 5976->5995 5980 403278 4 API calls 5979->5980 5981 4032b5 5980->5981 5981->5966 5983 403498 5982->5983 5985 4034c3 5982->5985 5984 4034f0 4 API calls 5983->5984 5984->5985 5985->5966 5987 408f7a 5986->5987 5988 408f7e 5986->5988 5987->5972 5989 408fa0 SetLastError 5988->5989 5990 408f87 Wow64DisableWow64FsRedirection 5988->5990 5991 408f9b 5989->5991 5990->5991 5991->5972 5993 4069dc 7 API calls 5992->5993 5994 406a52 GetLastError 5993->5994 5994->5976 5996 408fb1 Wow64RevertWow64FsRedirection 5995->5996 5997 408fbb 5995->5997 5996->5997 5997->5887 5999 403198 4 API calls 5998->5999 6005 408cb1 5998->6005 5999->6005 6000 408cdc 6001 4031b8 4 API calls 6000->6001 6003 408d69 6001->6003 6002 408cc8 6006 4032fc 4 API calls 6002->6006 6003->5698 6004 403278 4 API calls 6004->6005 6005->6000 6005->6002 6005->6004 6007 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6005->6007 6006->6000 6007->6005 6009 406744 IsDBCSLeadByte 6008->6009 6011 406835 6009->6011 6010 40687f 6010->5710 6011->6010 6012 406680 IsDBCSLeadByte 6011->6012 6012->6011 6014 4068f3 6013->6014 6015 406820 IsDBCSLeadByte 6014->6015 6017 4068fe 6015->6017 6016 4066ea 6016->5715 6016->5716 6017->6016 6018 406680 IsDBCSLeadByte 6017->6018 6018->6017 6020 406957 6019->6020 6021 40695b 6019->6021 6020->5729 6024 406970 CharPrevA 6021->6024 6023 40696c 6023->5729 6024->6023 6026 402bd5 RaiseException 6025->6026 6027 402be6 6025->6027 6026->6027 6027->5753 6280 402e64 6281 402e69 6280->6281 6282 402e7a RtlUnwind 6281->6282 6283 402e5e 6281->6283 6284 402e9d 6282->6284 6301 40667c IsDBCSLeadByte 6302 406694 6301->6302 6714 403f7d 6715 403fa2 6714->6715 6718 403f84 6714->6718 6717 403e8e 4 API calls 6715->6717 6715->6718 6716 403f8c 6717->6718 6718->6716 6719 402674 4 API calls 6718->6719 6720 403fca 6719->6720 6727 403d02 6734 403d12 6727->6734 6728 403ddf ExitProcess 6729 403db8 6731 403cc8 4 API calls 6729->6731 6730 403dea 6732 403dc2 6731->6732 6733 403cc8 4 API calls 6732->6733 6735 403dcc 6733->6735 6734->6728 6734->6729 6734->6730 6734->6734 6737 403da4 6734->6737 6738 403d8f MessageBoxA 6734->6738 6747 4019dc 6735->6747 6743 403fe4 6737->6743 6738->6729 6740 403dd1 6740->6728 6740->6730 6744 403fe8 6743->6744 6745 403f07 4 API calls 6744->6745 6746 404006 6745->6746 6748 401abb 6747->6748 6749 4019ed 6747->6749 6748->6740 6750 401a04 RtlEnterCriticalSection 6749->6750 6751 401a0e LocalFree 6749->6751 6750->6751 6752 401a41 6751->6752 6753 401a2f VirtualFree 6752->6753 6754 401a49 6752->6754 6753->6752 6755 401a70 LocalFree 6754->6755 6756 401a87 6754->6756 6755->6755 6755->6756 6757 401aa9 RtlDeleteCriticalSection 6756->6757 6758 401a9f RtlLeaveCriticalSection 6756->6758 6757->6740 6758->6757 6311 404206 6312 40420a 6311->6312 6313 4041cc 6311->6313 6314 404282 6312->6314 6315 403154 4 API calls 6312->6315 6316 404323 6315->6316 6317 402c08 6320 402c82 6317->6320 6321 402c19 6317->6321 6318 402c56 RtlUnwind 6319 403154 4 API calls 6318->6319 6319->6320 6321->6318 6321->6320 6324 402b28 6321->6324 6325 402b31 RaiseException 6324->6325 6326 402b47 6324->6326 6325->6326 6326->6318 6327 408c10 6328 408c17 6327->6328 6329 403198 4 API calls 6328->6329 6337 408cb1 6329->6337 6330 408cdc 6331 4031b8 4 API calls 6330->6331 6333 408d69 6331->6333 6332 408cc8 6335 4032fc 4 API calls 6332->6335 6334 403278 4 API calls 6334->6337 6335->6330 6336 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6336->6337 6337->6330 6337->6332 6337->6334 6337->6336 6338 40a011 6339 40a036 6338->6339 6340 407918 InterlockedExchange 6339->6340 6342 40a060 6340->6342 6341 40a070 6348 4076ac SetEndOfFile 6341->6348 6342->6341 6343 409aa0 4 API calls 6342->6343 6343->6341 6345 40a08c 6346 4025ac 4 API calls 6345->6346 6347 40a0c3 6346->6347 6349 4076c3 6348->6349 6350 4076bc 6348->6350 6349->6345 6351 40748c 21 API calls 6350->6351 6351->6349 6763 409916 6764 409918 6763->6764 6765 40993a 6764->6765 6766 409956 CallWindowProcA 6764->6766 6766->6765 6079 407017 6080 407008 SetErrorMode 6079->6080 6356 403018 6357 403070 6356->6357 6358 403025 6356->6358 6359 40302a RtlUnwind 6358->6359 6360 40304e 6359->6360 6362 402f78 6360->6362 6363 402be8 6360->6363 6364 402bf1 RaiseException 6363->6364 6365 402c04 6363->6365 6364->6365 6365->6357 6773 409918 6774 409927 6773->6774 6775 40993a 6773->6775 6774->6775 6776 409956 CallWindowProcA 6774->6776 6776->6775 6370 40901e 6371 409010 6370->6371 6372 408fac Wow64RevertWow64FsRedirection 6371->6372 6373 409018 6372->6373 6374 409020 SetLastError 6375 409029 6374->6375 6386 403a28 ReadFile 6387 403a46 6386->6387 6388 403a49 GetLastError 6386->6388 6217 40762c ReadFile 6218 407663 6217->6218 6219 40764c 6217->6219 6220 407652 GetLastError 6219->6220 6221 40765c 6219->6221 6220->6218 6220->6221 6222 40748c 21 API calls 6221->6222 6222->6218 6393 40a02c 6394 409aa0 4 API calls 6393->6394 6395 40a031 6394->6395 6396 40a036 6395->6396 6397 402f24 5 API calls 6395->6397 6398 407918 InterlockedExchange 6396->6398 6397->6396 6399 40a060 6398->6399 6400 40a070 6399->6400 6401 409aa0 4 API calls 6399->6401 6402 4076ac 22 API calls 6400->6402 6401->6400 6403 40a08c 6402->6403 6404 4025ac 4 API calls 6403->6404 6405 40a0c3 6404->6405 6777 40712e 6778 407118 6777->6778 6779 403198 4 API calls 6778->6779 6780 407120 6779->6780 6781 403198 4 API calls 6780->6781 6782 407128 6781->6782 6783 408f30 6786 408dfc 6783->6786 6787 408e05 6786->6787 6788 403198 4 API calls 6787->6788 6789 408e13 6787->6789 6788->6787 6790 403932 6791 403924 6790->6791 6794 40374c 6791->6794 6793 40392c 6795 403766 6794->6795 6796 403759 6794->6796 6795->6793 6796->6795 6797 403779 VariantClear 6796->6797 6797->6793 6028 4075c4 SetFilePointer 6029 4075f7 6028->6029 6030 4075e7 GetLastError 6028->6030 6030->6029 6031 4075f0 6030->6031 6032 40748c 21 API calls 6031->6032 6032->6029 6406 405ac4 6407 405acc 6406->6407 6411 405ad4 6406->6411 6408 405ad2 6407->6408 6409 405adb 6407->6409 6413 405a3c 6408->6413 6410 405930 5 API calls 6409->6410 6410->6411 6420 405a44 6413->6420 6414 405a5e 6416 405a63 6414->6416 6417 405a7a 6414->6417 6415 403154 4 API calls 6415->6420 6418 405930 5 API calls 6416->6418 6419 403154 4 API calls 6417->6419 6421 405a76 6418->6421 6422 405a7f 6419->6422 6420->6414 6420->6415 6424 403154 4 API calls 6421->6424 6423 4059a0 19 API calls 6422->6423 6423->6421 6425 405aa8 6424->6425 6426 403154 4 API calls 6425->6426 6427 405ab6 6426->6427 6427->6411 6428 4076c8 WriteFile 6429 4076e8 6428->6429 6430 4076ef 6428->6430 6431 40748c 21 API calls 6429->6431 6432 407700 6430->6432 6433 4073ec 20 API calls 6430->6433 6431->6430 6433->6432 6434 40a2ca 6443 4096fc 6434->6443 6437 402f24 5 API calls 6438 40a2d4 6437->6438 6439 403198 4 API calls 6438->6439 6440 40a2f3 6439->6440 6441 403198 4 API calls 6440->6441 6442 40a2fb 6441->6442 6452 40569c 6443->6452 6445 409717 6447 409745 6445->6447 6458 40720c 6445->6458 6449 403198 4 API calls 6447->6449 6448 409735 6451 40973d MessageBoxA 6448->6451 6450 40975a 6449->6450 6450->6437 6451->6447 6453 403154 4 API calls 6452->6453 6454 4056a1 6453->6454 6455 4056b9 6454->6455 6456 403154 4 API calls 6454->6456 6455->6445 6457 4056af 6456->6457 6457->6445 6459 40569c 4 API calls 6458->6459 6460 40721b 6459->6460 6461 407221 6460->6461 6462 40722f 6460->6462 6463 40322c 4 API calls 6461->6463 6464 40723f 6462->6464 6467 40724b 6462->6467 6466 40722d 6463->6466 6469 4071d0 6464->6469 6466->6448 6476 4032b8 6467->6476 6470 40322c 4 API calls 6469->6470 6471 4071df 6470->6471 6472 4071fc 6471->6472 6473 406950 CharPrevA 6471->6473 6472->6466 6474 4071eb 6473->6474 6474->6472 6475 4032fc 4 API calls 6474->6475 6475->6472 6477 403278 4 API calls 6476->6477 6478 4032c2 6477->6478 6478->6466 6479 402ccc 6480 402cdd 6479->6480 6484 402cfe 6479->6484 6481 402d88 RtlUnwind 6480->6481 6483 402b28 RaiseException 6480->6483 6480->6484 6482 403154 4 API calls 6481->6482 6482->6484 6485 402d7f 6483->6485 6485->6481 6806 403fcd 6807 403f07 4 API calls 6806->6807 6808 403fd6 6807->6808 6809 403e9c 4 API calls 6808->6809 6810 403fe2 6809->6810 5464 4024d0 5465 4024e4 5464->5465 5466 4024f7 5464->5466 5503 401918 RtlInitializeCriticalSection 5465->5503 5468 402518 5466->5468 5469 40250e RtlEnterCriticalSection 5466->5469 5480 402300 5468->5480 5469->5468 5472 4024ed 5474 402525 5477 402581 5474->5477 5478 402577 RtlLeaveCriticalSection 5474->5478 5476 402531 5476->5474 5510 40215c 5476->5510 5478->5477 5481 402314 5480->5481 5482 402335 5481->5482 5483 4023b8 5481->5483 5485 402344 5482->5485 5524 401b74 5482->5524 5483->5485 5488 402455 5483->5488 5527 401d80 5483->5527 5535 401e84 5483->5535 5485->5474 5490 401fd4 5485->5490 5488->5485 5531 401d00 5488->5531 5491 401fe8 5490->5491 5492 401ffb 5490->5492 5493 401918 4 API calls 5491->5493 5494 402012 RtlEnterCriticalSection 5492->5494 5497 40201c 5492->5497 5495 401fed 5493->5495 5494->5497 5495->5492 5496 401ff1 5495->5496 5500 402052 5496->5500 5497->5500 5617 401ee0 5497->5617 5500->5476 5501 402147 5501->5476 5502 40213d RtlLeaveCriticalSection 5502->5501 5504 40193c RtlEnterCriticalSection 5503->5504 5505 401946 5503->5505 5504->5505 5506 401964 LocalAlloc 5505->5506 5507 40197e 5506->5507 5508 4019c3 RtlLeaveCriticalSection 5507->5508 5509 4019cd 5507->5509 5508->5509 5509->5466 5509->5472 5511 40217a 5510->5511 5512 402175 5510->5512 5513 4021ab RtlEnterCriticalSection 5511->5513 5516 4021b5 5511->5516 5520 40217e 5511->5520 5514 401918 4 API calls 5512->5514 5513->5516 5514->5511 5515 4021c1 5518 4022e3 RtlLeaveCriticalSection 5515->5518 5519 4022ed 5515->5519 5516->5515 5517 402244 5516->5517 5522 402270 5516->5522 5517->5520 5521 401d80 7 API calls 5517->5521 5518->5519 5519->5474 5520->5474 5521->5520 5522->5515 5523 401d00 7 API calls 5522->5523 5523->5515 5525 40215c 9 API calls 5524->5525 5526 401b95 5525->5526 5526->5485 5528 401d92 5527->5528 5529 401d89 5527->5529 5528->5483 5529->5528 5530 401b74 9 API calls 5529->5530 5530->5528 5532 401d1e 5531->5532 5533 401d4e 5531->5533 5532->5485 5533->5532 5540 401c68 5533->5540 5595 401768 5535->5595 5537 401e99 5538 401ea6 5537->5538 5606 401dcc 5537->5606 5538->5483 5541 401c7a 5540->5541 5542 401c9d 5541->5542 5543 401caf 5541->5543 5553 40188c 5542->5553 5544 40188c 3 API calls 5543->5544 5546 401cad 5544->5546 5547 401cc5 5546->5547 5563 401b44 5546->5563 5547->5532 5549 401cd4 5550 401cee 5549->5550 5568 401b98 5549->5568 5573 4013a0 5550->5573 5554 4018b2 5553->5554 5562 40190b 5553->5562 5577 401658 5554->5577 5559 4018e6 5561 4013a0 LocalAlloc 5559->5561 5559->5562 5561->5562 5562->5546 5564 401b61 5563->5564 5565 401b52 5563->5565 5564->5549 5566 401d00 9 API calls 5565->5566 5567 401b5f 5566->5567 5567->5549 5569 401bab 5568->5569 5570 401b9d 5568->5570 5569->5550 5571 401b74 9 API calls 5570->5571 5572 401baa 5571->5572 5572->5550 5574 4013ab 5573->5574 5575 4013c6 5574->5575 5576 4012e4 LocalAlloc 5574->5576 5575->5547 5576->5575 5579 40168f 5577->5579 5578 4016cf 5581 40132c 5578->5581 5579->5578 5580 4016a9 VirtualFree 5579->5580 5580->5579 5582 401348 5581->5582 5589 4012e4 5582->5589 5585 40150c 5587 40153b 5585->5587 5586 401594 5586->5559 5587->5586 5588 401568 VirtualFree 5587->5588 5588->5587 5592 40128c 5589->5592 5593 401298 LocalAlloc 5592->5593 5594 4012aa 5592->5594 5593->5594 5594->5559 5594->5585 5596 401787 5595->5596 5597 40183b 5596->5597 5598 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5596->5598 5600 40132c LocalAlloc 5596->5600 5601 401821 5596->5601 5602 4017d6 5596->5602 5603 4017e7 5597->5603 5613 4015c4 5597->5613 5598->5596 5600->5596 5604 40150c VirtualFree 5601->5604 5605 40150c VirtualFree 5602->5605 5603->5537 5604->5603 5605->5603 5607 401d80 9 API calls 5606->5607 5608 401de0 5607->5608 5609 40132c LocalAlloc 5608->5609 5610 401df0 5609->5610 5611 401b44 9 API calls 5610->5611 5612 401df8 5610->5612 5611->5612 5612->5538 5614 40160a 5613->5614 5615 401626 VirtualAlloc 5614->5615 5616 40163a 5614->5616 5615->5614 5615->5616 5616->5603 5621 401ef0 5617->5621 5618 401f1c 5619 401d00 9 API calls 5618->5619 5622 401f40 5618->5622 5619->5622 5621->5618 5621->5622 5623 401e58 5621->5623 5622->5501 5622->5502 5628 4016d8 5623->5628 5626 401dcc 9 API calls 5627 401e75 5626->5627 5627->5621 5632 4016f4 5628->5632 5630 4016fe 5631 4015c4 VirtualAlloc 5630->5631 5636 40170a 5631->5636 5632->5630 5633 40175b 5632->5633 5634 40132c LocalAlloc 5632->5634 5635 40174f 5632->5635 5638 401430 5632->5638 5633->5626 5633->5627 5634->5632 5637 40150c VirtualFree 5635->5637 5636->5633 5637->5633 5639 40143f VirtualAlloc 5638->5639 5641 40146c 5639->5641 5642 40148f 5639->5642 5643 4012e4 LocalAlloc 5641->5643 5642->5632 5644 401478 5643->5644 5644->5642 5645 40147c VirtualFree 5644->5645 5645->5642 6486 4028d2 6487 4028da 6486->6487 6488 403554 4 API calls 6487->6488 6489 4028ef 6487->6489 6488->6487 6490 4025ac 4 API calls 6489->6490 6491 4028f4 6490->6491 6811 4019d3 6812 4019ba 6811->6812 6813 4019c3 RtlLeaveCriticalSection 6812->6813 6814 4019cd 6812->6814 6813->6814 6033 407fd4 6034 407fe6 6033->6034 6036 407fed 6033->6036 6044 407f10 6034->6044 6037 408021 6036->6037 6039 408015 6036->6039 6040 408017 6036->6040 6038 40804e 6037->6038 6041 407d7c 19 API calls 6037->6041 6058 407e2c 6039->6058 6055 407d7c 6040->6055 6041->6038 6045 407f25 6044->6045 6046 407d7c 19 API calls 6045->6046 6047 407f34 6045->6047 6046->6047 6048 407f6e 6047->6048 6049 407d7c 19 API calls 6047->6049 6050 407f82 6048->6050 6051 407d7c 19 API calls 6048->6051 6049->6048 6054 407fae 6050->6054 6065 407eb8 6050->6065 6051->6050 6054->6036 6068 4058b4 6055->6068 6057 407d9e 6057->6037 6059 405184 19 API calls 6058->6059 6060 407e57 6059->6060 6076 407de4 6060->6076 6062 407e5f 6063 403198 4 API calls 6062->6063 6064 407e74 6063->6064 6064->6037 6066 407ec7 VirtualFree 6065->6066 6067 407ed9 VirtualAlloc 6065->6067 6066->6067 6067->6054 6069 4058c0 6068->6069 6070 405184 19 API calls 6069->6070 6071 4058ed 6070->6071 6072 4031e8 4 API calls 6071->6072 6073 4058f8 6072->6073 6074 403198 4 API calls 6073->6074 6075 40590d 6074->6075 6075->6057 6077 4058b4 19 API calls 6076->6077 6078 407e06 6077->6078 6078->6062 6496 40a0d5 6497 40a105 6496->6497 6498 40a10f CreateWindowExA SetWindowLongA 6497->6498 6499 405184 19 API calls 6498->6499 6500 40a192 6499->6500 6501 4032fc 4 API calls 6500->6501 6502 40a1a0 6501->6502 6503 4032fc 4 API calls 6502->6503 6504 40a1ad 6503->6504 6505 406b7c 5 API calls 6504->6505 6506 40a1b9 6505->6506 6507 4032fc 4 API calls 6506->6507 6508 40a1c2 6507->6508 6509 4099a4 29 API calls 6508->6509 6510 40a1d4 6509->6510 6511 409884 5 API calls 6510->6511 6512 40a1e7 6510->6512 6511->6512 6513 40a220 6512->6513 6514 4094d8 9 API calls 6512->6514 6515 40a239 6513->6515 6518 40a233 RemoveDirectoryA 6513->6518 6514->6513 6516 40a242 73EB5CF0 6515->6516 6517 40a24d 6515->6517 6516->6517 6519 40a275 6517->6519 6520 40357c 4 API calls 6517->6520 6518->6515 6521 40a26b 6520->6521 6522 4025ac 4 API calls 6521->6522 6522->6519 6081 40a0e7 6082 40a0eb SetLastError 6081->6082 6113 409648 GetLastError 6082->6113 6085 40a105 6087 40a10f CreateWindowExA SetWindowLongA 6085->6087 6086 402f24 5 API calls 6086->6085 6088 405184 19 API calls 6087->6088 6089 40a192 6088->6089 6090 4032fc 4 API calls 6089->6090 6091 40a1a0 6090->6091 6092 4032fc 4 API calls 6091->6092 6093 40a1ad 6092->6093 6126 406b7c GetCommandLineA 6093->6126 6096 4032fc 4 API calls 6097 40a1c2 6096->6097 6131 4099a4 6097->6131 6100 409884 5 API calls 6101 40a1e7 6100->6101 6102 40a220 6101->6102 6103 40a207 6101->6103 6105 40a239 6102->6105 6108 40a233 RemoveDirectoryA 6102->6108 6147 4094d8 6103->6147 6106 40a242 73EB5CF0 6105->6106 6107 40a24d 6105->6107 6106->6107 6109 40a275 6107->6109 6155 40357c 6107->6155 6108->6105 6111 40a26b 6112 4025ac 4 API calls 6111->6112 6112->6109 6114 404c84 19 API calls 6113->6114 6115 40968f 6114->6115 6116 407284 5 API calls 6115->6116 6117 40969f 6116->6117 6118 408da8 4 API calls 6117->6118 6119 4096b4 6118->6119 6120 405880 4 API calls 6119->6120 6121 4096c3 6120->6121 6122 4031b8 4 API calls 6121->6122 6123 4096e2 6122->6123 6124 403198 4 API calls 6123->6124 6125 4096ea 6124->6125 6125->6085 6125->6086 6127 406af0 4 API calls 6126->6127 6128 406ba1 6127->6128 6129 403198 4 API calls 6128->6129 6130 406bbf 6129->6130 6130->6096 6132 4033b4 4 API calls 6131->6132 6133 4099df 6132->6133 6134 409a11 CreateProcessA 6133->6134 6135 409a24 CloseHandle 6134->6135 6136 409a1d 6134->6136 6138 409a2d 6135->6138 6137 409648 21 API calls 6136->6137 6137->6135 6168 409978 6138->6168 6141 409a49 6142 409978 3 API calls 6141->6142 6143 409a4e GetExitCodeProcess CloseHandle 6142->6143 6144 409a6e 6143->6144 6145 403198 4 API calls 6144->6145 6146 409a76 6145->6146 6146->6100 6146->6101 6148 409532 6147->6148 6149 4094eb 6147->6149 6148->6102 6149->6148 6150 4094f3 Sleep 6149->6150 6151 409503 Sleep 6149->6151 6153 40951a GetLastError 6149->6153 6172 408fbc 6149->6172 6150->6149 6151->6149 6153->6148 6154 409524 GetLastError 6153->6154 6154->6148 6154->6149 6156 403591 6155->6156 6164 4035a0 6155->6164 6160 4035d0 6156->6160 6161 40359b 6156->6161 6163 4035b6 6156->6163 6157 4035b1 6162 403198 4 API calls 6157->6162 6158 4035b8 6159 4031b8 4 API calls 6158->6159 6159->6163 6160->6163 6166 40357c 4 API calls 6160->6166 6161->6164 6165 4035ec 6161->6165 6162->6163 6163->6111 6164->6157 6164->6158 6165->6163 6180 403554 6165->6180 6166->6160 6169 40998c PeekMessageA 6168->6169 6170 409980 TranslateMessage DispatchMessageA 6169->6170 6171 40999e MsgWaitForMultipleObjects 6169->6171 6170->6169 6171->6138 6171->6141 6173 408f70 2 API calls 6172->6173 6174 408fd2 6173->6174 6175 408fd6 6174->6175 6176 408ff2 DeleteFileA GetLastError 6174->6176 6175->6149 6177 409010 6176->6177 6178 408fac Wow64RevertWow64FsRedirection 6177->6178 6179 409018 6178->6179 6179->6149 6181 403566 6180->6181 6183 403578 6181->6183 6184 403604 6181->6184 6183->6165 6185 40357c 6184->6185 6186 4035a0 6185->6186 6190 4035d0 6185->6190 6191 40359b 6185->6191 6193 4035b6 6185->6193 6187 4035b1 6186->6187 6188 4035b8 6186->6188 6192 403198 4 API calls 6187->6192 6189 4031b8 4 API calls 6188->6189 6189->6193 6190->6193 6195 40357c 4 API calls 6190->6195 6191->6186 6194 4035ec 6191->6194 6192->6193 6193->6181 6194->6193 6196 403554 4 API calls 6194->6196 6195->6190 6196->6194 6818 402be9 RaiseException 6819 402c04 6818->6819 6529 402af2 6530 402afe 6529->6530 6533 402ed0 6530->6533 6534 403154 4 API calls 6533->6534 6536 402ee0 6534->6536 6535 402b03 6536->6535 6538 402b0c 6536->6538 6539 402b25 6538->6539 6540 402b15 RaiseException 6538->6540 6539->6535 6540->6539 6820 402dfa 6821 402e26 6820->6821 6822 402e0d 6820->6822 6824 402ba4 6822->6824 6825 402bc9 6824->6825 6826 402bad 6824->6826 6825->6821 6827 402bb5 RaiseException 6826->6827 6827->6825 6828 4075fa GetFileSize 6829 407626 6828->6829 6830 407616 GetLastError 6828->6830 6830->6829 6831 40761f 6830->6831 6832 40748c 21 API calls 6831->6832 6832->6829 6833 406ffb 6834 407008 SetErrorMode 6833->6834 6545 403a80 CloseHandle 6546 403a90 6545->6546 6547 403a91 GetLastError 6545->6547 6548 40a282 6549 40a1f4 6548->6549 6550 40a220 6549->6550 6551 4094d8 9 API calls 6549->6551 6552 40a239 6550->6552 6555 40a233 RemoveDirectoryA 6550->6555 6551->6550 6553 40a242 73EB5CF0 6552->6553 6554 40a24d 6552->6554 6553->6554 6556 40a275 6554->6556 6557 40357c 4 API calls 6554->6557 6555->6552 6558 40a26b 6557->6558 6559 4025ac 4 API calls 6558->6559 6559->6556 6560 404283 6561 4042c3 6560->6561 6562 403154 4 API calls 6561->6562 6563 404323 6562->6563 6835 404185 6836 4041ff 6835->6836 6837 4041cc 6836->6837 6838 403154 4 API calls 6836->6838 6839 404323 6838->6839 6564 40a287 6565 40a290 6564->6565 6567 40a2bb 6564->6567 6574 409448 6565->6574 6569 403198 4 API calls 6567->6569 6568 40a295 6568->6567 6571 40a2b3 MessageBoxA 6568->6571 6570 40a2f3 6569->6570 6572 403198 4 API calls 6570->6572 6571->6567 6573 40a2fb 6572->6573 6575 409454 GetCurrentProcess OpenProcessToken 6574->6575 6576 4094af ExitWindowsEx 6574->6576 6577 409466 6575->6577 6578 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6575->6578 6576->6577 6577->6568 6578->6576 6578->6577 6579 403e87 6581 403e4c 6579->6581 6580 403e67 6586 403e78 6580->6586 6592 402674 6580->6592 6581->6580 6582 403e62 6581->6582 6583 403e7b 6581->6583 6588 403cc8 6582->6588 6585 402674 4 API calls 6583->6585 6585->6586 6589 403cd6 6588->6589 6590 402674 4 API calls 6589->6590 6591 403ceb 6589->6591 6590->6591 6591->6580 6593 403154 4 API calls 6592->6593 6594 40267a 6593->6594 6594->6586 6599 407e90 6600 407eb8 VirtualFree 6599->6600 6601 407e9d 6600->6601 6848 403991 6849 403983 6848->6849 6850 40374c VariantClear 6849->6850 6851 40398b 6850->6851 6852 405b92 6854 405b94 6852->6854 6853 405bd0 6857 405930 5 API calls 6853->6857 6854->6853 6855 405be7 6854->6855 6856 405bca 6854->6856 6861 404ccc 5 API calls 6855->6861 6856->6853 6858 405c3c 6856->6858 6859 405be3 6857->6859 6860 4059a0 19 API calls 6858->6860 6862 403198 4 API calls 6859->6862 6860->6859 6863 405c10 6861->6863 6864 405c76 6862->6864 6865 4059a0 19 API calls 6863->6865 6865->6859 6604 403e95 6605 403e4c 6604->6605 6606 403e62 6605->6606 6607 403e7b 6605->6607 6610 403e67 6605->6610 6608 403cc8 4 API calls 6606->6608 6609 402674 4 API calls 6607->6609 6608->6610 6611 403e78 6609->6611 6610->6611 6612 402674 4 API calls 6610->6612 6612->6611 6613 403a97 6614 403aac 6613->6614 6615 403bbc GetStdHandle 6614->6615 6616 403b0e CreateFileA 6614->6616 6626 403ab2 6614->6626 6617 403c17 GetLastError 6615->6617 6621 403bba 6615->6621 6616->6617 6618 403b2c 6616->6618 6617->6626 6620 403b3b GetFileSize 6618->6620 6618->6621 6620->6617 6622 403b4e SetFilePointer 6620->6622 6623 403be7 GetFileType 6621->6623 6621->6626 6622->6617 6627 403b6a ReadFile 6622->6627 6625 403c02 CloseHandle 6623->6625 6623->6626 6625->6626 6627->6617 6628 403b8c 6627->6628 6628->6621 6629 403b9f SetFilePointer 6628->6629 6629->6617 6630 403bb0 SetEndOfFile 6629->6630 6630->6617 6630->6621 6884 4011aa 6885 4011ac GetStdHandle 6884->6885 6223 4076ac SetEndOfFile 6224 4076c3 6223->6224 6225 4076bc 6223->6225 6226 40748c 21 API calls 6225->6226 6226->6224 6634 4028ac 6635 402594 4 API calls 6634->6635 6636 4028b6 6635->6636 6637 401ab9 6638 401a96 6637->6638 6639 401aa9 RtlDeleteCriticalSection 6638->6639 6640 401a9f RtlLeaveCriticalSection 6638->6640 6640->6639

                                                                                                              Executed Functions

                                                                                                              Function 00409B30 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 116 409b30-409b54 GetSystemInfo VirtualQuery 117 409be4-409beb 116->117 118 409b5a 116->118 119 409bd9-409bde 118->119 119->117 120 409b5c-409b63 119->120 121 409bc5-409bd7 VirtualQuery 120->121 122 409b65-409b69 120->122 121->117 121->119 122->121 123 409b6b-409b73 122->123 124 409b84-409b95 VirtualProtect 123->124 125 409b75-409b78 123->125 127 409b97 124->127 128 409b99-409b9b 124->128 125->124 126 409b7a-409b7d 125->126 126->124 129 409b7f-409b82 126->129 127->128 130 409baa-409bad 128->130 129->124 129->128 131 409b9d-409ba6 call 409b28 130->131 132 409baf-409bb1 130->132 131->130 132->121 134 409bb3-409bc0 VirtualProtect 132->134 134->121
                                                                                                              APIs
                                                                                                              • GetSystemInfo.KERNEL32(?), ref: 00409B42
                                                                                                              • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B4D
                                                                                                              • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B8E
                                                                                                              • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BC0
                                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BD0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 2441996862-0
                                                                                                              • Opcode ID: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                                                              • Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
                                                                                                              • Opcode Fuzzy Hash: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                                                              • Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669
                                                                                                              Function 004051FC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale
                                                                                                              • String ID:
                                                                                                              • API String ID: 2299586839-0
                                                                                                              • Opcode ID: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                                                              • Instruction ID: f5e54e9283223dc3068d295e9d46a059fb55c29f9ef527c49189185961fa2cd4
                                                                                                              • Opcode Fuzzy Hash: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                                                              • Instruction Fuzzy Hash: 42E0927170021426D710A9A99C86AEB735CEB58310F4002BFB908E73C6EDB49E844AEE
                                                                                                              Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C60), ref: 00404582
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                                              • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00409C60), ref: 004045C6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleModulePolicyProcess
                                                                                                              • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                                              • API String ID: 3256987805-3653653586
                                                                                                              • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                                              • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                                              • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                                              • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E
                                                                                                              Function 0040A0E7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 111COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • SetLastError.KERNEL32 ref: 0040A0F4
                                                                                                                • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,021A15A0), ref: 0040966C
                                                                                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                                                              • SetWindowLongA.USER32(000103E8,000000FC,00409918), ref: 0040A148
                                                                                                              • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                                                              • 73EB5CF0.USER32(000103E8,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastWindow$CreateDirectoryLongRemove
                                                                                                              • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                              • API String ID: 3341979996-3001827809
                                                                                                              • Opcode ID: 1a4f1778be80c46942aa9f98cae2169e0a6230f8324263ff29803b7c5577a5a1
                                                                                                              • Instruction ID: a1ec2b29f79e5ff862fc4fad7e4f310b8339f10a1453332cc6b7faa73b6a426b
                                                                                                              • Opcode Fuzzy Hash: 1a4f1778be80c46942aa9f98cae2169e0a6230f8324263ff29803b7c5577a5a1
                                                                                                              • Instruction Fuzzy Hash: C2411F71600205DFD710EBA9EE8AB9977A4EB45304F10467EF514B73E2CBB8A811CB9D
                                                                                                              Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                              • API String ID: 1646373207-2130885113
                                                                                                              • Opcode ID: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                                                                              • Instruction ID: 4a4222b704d734fa8d0781b40c04fe9f9c76e7b4f133337d95099c0c8a01123f
                                                                                                              • Opcode Fuzzy Hash: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                                                                              • Instruction Fuzzy Hash: 20017170748342AEFB00BB72DD4AB163A68E785704F50457BF5407A2D3DABD4C04DA6D
                                                                                                              Function 0040A0D5 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                                                              • SetWindowLongA.USER32(000103E8,000000FC,00409918), ref: 0040A148
                                                                                                                • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040A1B9,?), ref: 00406B94
                                                                                                                • Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021A15A0,00409A90,00000000,00409A77), ref: 00409A14
                                                                                                                • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021A15A0,00409A90,00000000), ref: 00409A28
                                                                                                                • Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                                                                • Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                                                                • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021A15A0,00409A90), ref: 00409A5C
                                                                                                              • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                                                              • 73EB5CF0.USER32(000103E8,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                                              • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                              • API String ID: 978128352-3001827809
                                                                                                              • Opcode ID: abb3e52ba2d34a87c951cbeec188d4c3ff7361d17d45cb79fe2b458f8c7fb345
                                                                                                              • Instruction ID: f39d198f6ca78f9e57da3cbf677d536b45cc778db879de651171db1d1b5627bc
                                                                                                              • Opcode Fuzzy Hash: abb3e52ba2d34a87c951cbeec188d4c3ff7361d17d45cb79fe2b458f8c7fb345
                                                                                                              • Instruction Fuzzy Hash: 07411A71604204DFD714EBA9EE86B5A77A4EB49304F10427EE514B73E1CBB8A810CB9D
                                                                                                              Function 004099A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021A15A0,00409A90,00000000,00409A77), ref: 00409A14
                                                                                                              • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021A15A0,00409A90,00000000), ref: 00409A28
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                                                              • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                                                              • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021A15A0,00409A90), ref: 00409A5C
                                                                                                                • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,021A15A0), ref: 0040966C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                                              • String ID: D
                                                                                                              • API String ID: 3356880605-2746444292
                                                                                                              • Opcode ID: ad223a4d496df5c95c16f58257358154d13b00c0811500baad5b3d8f4e498b4c
                                                                                                              • Instruction ID: 6ea97129cf5aa135a7f7046e3a99eae43c862e8aca722617c6144c18eae127a8
                                                                                                              • Opcode Fuzzy Hash: ad223a4d496df5c95c16f58257358154d13b00c0811500baad5b3d8f4e498b4c
                                                                                                              • Instruction Fuzzy Hash: 3A1142B17442486EDB10EBE68C42FAEB7ACEF49714F50017BB604F72C2DA785D048A69
                                                                                                              Function 00409E47 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message
                                                                                                              • String ID: .tmp$y@
                                                                                                              • API String ID: 2030045667-2396523267
                                                                                                              • Opcode ID: 68ca499064e88ad8d4bc1f4a2fd3397b1c963b2c890da41c2fdfea5cc663c78d
                                                                                                              • Instruction ID: eba11cc0b212557bcf85e4c41764595d0d3f2f842990b0293eb01d0c1562b25b
                                                                                                              • Opcode Fuzzy Hash: 68ca499064e88ad8d4bc1f4a2fd3397b1c963b2c890da41c2fdfea5cc663c78d
                                                                                                              • Instruction Fuzzy Hash: 9841BD30600200DFC711EF25DE96A5A77A5EB49304B50463AF804B73E2CBB9AC05CBED
                                                                                                              Function 00409E62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message
                                                                                                              • String ID: .tmp$y@
                                                                                                              • API String ID: 2030045667-2396523267
                                                                                                              • Opcode ID: b92571b7798fdf1738320cf5764acc74050170256781880fb7a821db28d3127f
                                                                                                              • Instruction ID: fef9de22095f7e51d457e3baefdda2d393bbfb66a144e2f6f14d312cbfdc2d61
                                                                                                              • Opcode Fuzzy Hash: b92571b7798fdf1738320cf5764acc74050170256781880fb7a821db28d3127f
                                                                                                              • Instruction Fuzzy Hash: 3A418D70610204DFC711EF25DED6A5A77A5EB49308B50463AF804B73E2CBB9AC05CBAD
                                                                                                              Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                                              • String ID: .tmp
                                                                                                              • API String ID: 1375471231-2986845003
                                                                                                              • Opcode ID: 8228534b5fce36e17f8a1a4f12b5018fbfc2097e6833105d4f39ac42e8c6f43b
                                                                                                              • Instruction ID: a1094b0e4056d8a2da25745c6e48f9a4b2523a9a3c4edc503687ab74cbc79d39
                                                                                                              • Opcode Fuzzy Hash: 8228534b5fce36e17f8a1a4f12b5018fbfc2097e6833105d4f39ac42e8c6f43b
                                                                                                              • Instruction Fuzzy Hash: 3A213674A002099BDB05FFA1C9429DEB7B9EF48304F50457BE901B73C2DA7C9E059AA5
                                                                                                              Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 321 407749-40774a 322 4076dc-4076e6 WriteFile 321->322 323 40774c-40776f 321->323 324 4076e8-4076ea call 40748c 322->324 325 4076ef-4076f2 322->325 326 407770-407785 323->326 324->325 328 407700-407704 325->328 329 4076f4-4076fb call 4073ec 325->329 330 407787 326->330 331 4077f9 326->331 329->328 332 40778a-40778f 330->332 333 4077fd-407802 330->333 334 40783b-40783d 331->334 335 4077fb 331->335 338 407803-407819 332->338 340 407791-407792 332->340 333->338 339 407841-407843 334->339 335->333 341 40785b-40785c 338->341 349 40781b 338->349 339->341 344 407724-407741 340->344 345 407794-4077b4 340->345 342 4078d6-4078eb call 407890 InterlockedExchange 341->342 343 40785e-40788c 341->343 366 407912-407917 342->366 367 4078ed-407910 342->367 359 407820-407823 343->359 360 407890-407893 343->360 348 4077b5 344->348 350 407743 344->350 345->348 353 4077b6-4077b7 348->353 354 4077f7-4077f8 348->354 355 40781e-40781f 349->355 356 407746-407747 350->356 357 4077b9 350->357 353->357 354->331 355->359 356->321 361 4077bb-4077cd 356->361 357->361 363 407898 359->363 364 407824 359->364 360->363 361->339 365 4077cf-4077d4 361->365 368 40789a 363->368 364->368 369 407825 364->369 365->334 374 4077d6-4077de 365->374 367->366 367->367 371 40789f 368->371 372 407896-407897 369->372 373 407826-40782d 369->373 375 4078a1 371->375 372->363 373->375 376 40782f 373->376 374->326 384 4077e0 374->384 378 4078a3 375->378 379 4078ac 375->379 380 407832-407833 376->380 381 4078a5-4078aa 376->381 378->381 383 4078ae-4078af 379->383 380->334 380->355 381->383 383->371 385 4078b1-4078bd 383->385 384->354 385->363 386 4078bf-4078c0 385->386
                                                                                                              APIs
                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3934441357-0
                                                                                                              • Opcode ID: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                                                              • Instruction ID: ef7112967ca92329f6454244f41010afd6781152a6d2bd16d4b387d8db15cd6b
                                                                                                              • Opcode Fuzzy Hash: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                                                              • Instruction Fuzzy Hash: F951D12294D2910FC7126B7849685A53FE0FE5331532E92FBC5C1AB1A3D27CA847D35B
                                                                                                              Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 387 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                                              • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLibraryLoadMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 2987862817-0
                                                                                                              • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                                              • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                                              • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                                              • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                                                              Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 397 40766c-407691 SetFilePointer 398 4076a3-4076a8 397->398 399 407693-40769a GetLastError 397->399 399->398 400 40769c-40769e call 40748c 399->400 400->398
                                                                                                              APIs
                                                                                                              • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                                              • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021903AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$FilePointer
                                                                                                              • String ID:
                                                                                                              • API String ID: 1156039329-0
                                                                                                              • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                                              • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                                              • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                                              • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776
                                                                                                              Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 391 40762c-40764a ReadFile 392 407663-40766a 391->392 393 40764c-407650 391->393 394 407652-40765a GetLastError 393->394 395 40765c-40765e call 40748c 393->395 394->392 394->395 395->392
                                                                                                              APIs
                                                                                                              • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLastRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 1948546556-0
                                                                                                              • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                                              • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                                              • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                                              • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                                                              Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 402 4075c4-4075e5 SetFilePointer 403 4075f7-4075f9 402->403 404 4075e7-4075ee GetLastError 402->404 404->403 405 4075f0-4075f2 call 40748c 404->405 405->403
                                                                                                              APIs
                                                                                                              • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                                              • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021903AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$FilePointer
                                                                                                              • String ID:
                                                                                                              • API String ID: 1156039329-0
                                                                                                              • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                                              • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                                              • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                                              • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                                              Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Virtual$AllocFree
                                                                                                              • String ID:
                                                                                                              • API String ID: 2087232378-0
                                                                                                              • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                                              • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                                              • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                                              • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                                              Function 00405270 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,004053A6), ref: 0040528F
                                                                                                                • Part of subcall function 00404CCC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CE9
                                                                                                                • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 1658689577-0
                                                                                                              • Opcode ID: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                                                              • Instruction ID: 2407abf821673f044c2d0b48b7a4a38d2d1f2757cafa01d062fe92b1f2c090cc
                                                                                                              • Opcode Fuzzy Hash: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                                                              • Instruction Fuzzy Hash: 73314D75E0010AABCB00DF95C8C19EEB379FF84304F158977E815BB285E739AE059B98
                                                                                                              Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                                              • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                                              • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                                              • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                                              Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                                              • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                                              • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                                              • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                                              Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AttributesFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 3188754299-0
                                                                                                              • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                                              • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                                              • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                                              • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                                              Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021903AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLastWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 442123175-0
                                                                                                              • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                                              • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                                              • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                                              • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                                              Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FormatMessage
                                                                                                              • String ID:
                                                                                                              • API String ID: 1306739567-0
                                                                                                              • Opcode ID: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                                                              • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                                              • Opcode Fuzzy Hash: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                                                              • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                                              Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetEndOfFile.KERNEL32(?,021B4000,0040A08C,00000000), ref: 004076B3
                                                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021903AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 734332943-0
                                                                                                              • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                                              • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                                              • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                                              • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                                              Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 2340568224-0
                                                                                                              • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                                              • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                                              • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                                              • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                                              Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 2340568224-0
                                                                                                              • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                                              • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                                              • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                                              • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                                              Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CharPrev
                                                                                                              • String ID:
                                                                                                              • API String ID: 122130370-0
                                                                                                              • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                                              • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                                              • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                                              • Instruction Fuzzy Hash:
                                                                                                              Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                                                              • Instruction ID: 20a67eb23ea55951ef5110b519d4bcc97d420124264edb02c1094051c82f9398
                                                                                                              • Opcode Fuzzy Hash: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                                                              • Instruction Fuzzy Hash: D2117571A042059BDB00EF19C881B5B7794AF44359F05807EF958AB3C6DB38EC00CBAA
                                                                                                              Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 1263568516-0
                                                                                                              • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                                              • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                                              • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                                              • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                                              Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 2962429428-0
                                                                                                              • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                                              • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                                              • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                                              • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                                              Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 1263568516-0
                                                                                                              • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                                              • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                                              • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                                              • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654

                                                                                                              Non-executed Functions

                                                                                                              Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040949D
                                                                                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004094A2
                                                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                              • String ID: SeShutdownPrivilege
                                                                                                              • API String ID: 107509674-3733053543
                                                                                                              • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                                              • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                                              • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                                              • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                                              Function 00409BEC Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
                                                                                                              • SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
                                                                                                              • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
                                                                                                              • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                                              • String ID:
                                                                                                              • API String ID: 3473537107-0
                                                                                                              • Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                                                              • Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
                                                                                                              • Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                                                              • Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E
                                                                                                              Function 00405248 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale
                                                                                                              • String ID:
                                                                                                              • API String ID: 2299586839-0
                                                                                                              • Opcode ID: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                                                              • Instruction ID: 297a7c39c0825e6b478cba46507f56ab37b47465b1590baa0f4eee863dd3b982
                                                                                                              • Opcode Fuzzy Hash: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                                                              • Instruction Fuzzy Hash: AED05EA630E6502AE21051AB2D85EBB4A9CCEC5BA4F18407FF648D7242D6248C069B76
                                                                                                              Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: SystemTime
                                                                                                              • String ID:
                                                                                                              • API String ID: 2656138-0
                                                                                                              • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                                              • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                                              • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                                              • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                                              Function 00405CE4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetVersionExA.KERNEL32(?,004065E0,00000000,004065EE,?,?,?,?,?,00409C65), ref: 00405CF2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Version
                                                                                                              • String ID:
                                                                                                              • API String ID: 1889659487-0
                                                                                                              • Opcode ID: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                                                              • Instruction ID: 3c95a3e10eaf3ff9c271e05f7503c1a51fdcfb4de7972086e3eff1de8b037954
                                                                                                              • Opcode Fuzzy Hash: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                                                              • Instruction Fuzzy Hash: FDC012A040070186D7109B31EC02B1672D4AB44310F440539AEA4953C2E73C80018A5A
                                                                                                              Function 0040840C Relevance: .5, Instructions: 545COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                                              • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                                              • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                                              • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                                              Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 0040704D
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 004070A1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressCloseHandleModuleProc
                                                                                                              • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                                              • API String ID: 4190037839-2401316094
                                                                                                              • Opcode ID: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                                                              • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                                              • Opcode Fuzzy Hash: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                                                              • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                                              Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                                              • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                                              • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                              • String ID:
                                                                                                              • API String ID: 1694776339-0
                                                                                                              • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                              • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                                              • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                              • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                                              Function 004053B4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,004055FC,?,?,?,?,00000000,00000000,00000000,?,004065DB,00000000,004065EE), ref: 004053CE
                                                                                                                • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                                                • Part of subcall function 00405248: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale$DefaultSystem
                                                                                                              • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                              • API String ID: 1044490935-665933166
                                                                                                              • Opcode ID: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                                                              • Instruction ID: af1252b4c964b6680b9f9af4a0d1ea0fc67f86ffa9d2e4d8722b1cefb330e960
                                                                                                              • Opcode Fuzzy Hash: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                                                              • Instruction Fuzzy Hash: 25515334B04548ABDB00EBA59C91A9F776AEB89304F50947BB504BB3C6CA3DCE059B5C
                                                                                                              Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                                              • LocalFree.KERNEL32(0074F6D0,00000000,00401AB4), ref: 00401A1B
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,0074F6D0,00000000,00401AB4), ref: 00401A3A
                                                                                                              • LocalFree.KERNEL32(007506D0,?,00000000,00008000,0074F6D0,00000000,00401AB4), ref: 00401A79
                                                                                                              • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                                              • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 3782394904-0
                                                                                                              • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                                              • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                                              • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                                              • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                                              Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                                              • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExitMessageProcess
                                                                                                              • String ID: Error$Runtime error at 00000000$9@
                                                                                                              • API String ID: 1220098344-1503883590
                                                                                                              • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                                              • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                                              • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                                              • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                                              Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                                              • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                                              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$AllocString
                                                                                                              • String ID:
                                                                                                              • API String ID: 262959230-0
                                                                                                              • Opcode ID: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                                                              • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                                              • Opcode Fuzzy Hash: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                                                              • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                                              Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                              • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                              • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                              • String ID:
                                                                                                              • API String ID: 730355536-0
                                                                                                              • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                                                              • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                                              • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                                                              • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                                                              Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,004098D0,00000000), ref: 00406E4C
                                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: QueryValue
                                                                                                              • String ID: )q@
                                                                                                              • API String ID: 3660427363-2284170586
                                                                                                              • Opcode ID: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                                                              • Instruction ID: 7350e5e82036d2c0193b98364cdb321f9e6d5b5bf7e48a12e03045d443e4f3bd
                                                                                                              • Opcode Fuzzy Hash: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                                                              • Instruction Fuzzy Hash: DC414C31D0021AAFDB21DF95C881BAFB7B8EB05704F56457AE901B7280D738AF108B99
                                                                                                              Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
                                                                                                              • GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CommandHandleLineModule
                                                                                                              • String ID: U1hd.@
                                                                                                              • API String ID: 2123368496-2904493091
                                                                                                              • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                                              • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                                              • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                                              • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                                              Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
                                                                                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409507
                                                                                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
                                                                                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.3605086567.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.3605038641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605124380.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.3605164567.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastSleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 1458359878-0
                                                                                                              • Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                                                              • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                                              • Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                                                              • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:16%
                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                              Signature Coverage:4.3%
                                                                                                              Total number of Nodes:2000
                                                                                                              Total number of Limit Nodes:69
                                                                                                              execution_graph 49694 40cf00 49695 40cf12 49694->49695 49696 40cf0d 49694->49696 49698 406f50 CloseHandle 49696->49698 49698->49695 55841 4413a4 55842 4413ad 55841->55842 55843 4413bb WriteFile 55841->55843 55842->55843 55844 4413c6 55843->55844 49699 492208 49700 49223c 49699->49700 49701 49223e 49700->49701 49702 492252 49700->49702 49845 446fac 18 API calls 49701->49845 49705 492261 49702->49705 49707 49228e 49702->49707 49704 492247 Sleep 49719 492289 49704->49719 49835 447008 49705->49835 49711 4922ca 49707->49711 49712 49229d 49707->49712 49709 492270 49713 492278 FindWindowA 49709->49713 49717 4922d9 49711->49717 49718 492320 49711->49718 49714 447008 18 API calls 49712->49714 49839 447288 49713->49839 49716 4922aa 49714->49716 49721 4922b2 FindWindowA 49716->49721 49846 446fac 18 API calls 49717->49846 49724 49237c 49718->49724 49725 49232f 49718->49725 49885 403420 49719->49885 49723 447288 5 API calls 49721->49723 49722 4922e5 49847 446fac 18 API calls 49722->49847 49727 4922c5 49723->49727 49734 4923d8 49724->49734 49735 49238b 49724->49735 49850 446fac 18 API calls 49725->49850 49727->49719 49729 4922f2 49848 446fac 18 API calls 49729->49848 49730 49233b 49851 446fac 18 API calls 49730->49851 49733 4922ff 49849 446fac 18 API calls 49733->49849 49745 492412 49734->49745 49746 4923e7 49734->49746 49855 446fac 18 API calls 49735->49855 49737 492348 49852 446fac 18 API calls 49737->49852 49739 492397 49856 446fac 18 API calls 49739->49856 49741 49230a SendMessageA 49744 447288 5 API calls 49741->49744 49743 492355 49853 446fac 18 API calls 49743->49853 49744->49727 49754 492421 49745->49754 49755 492460 49745->49755 49749 447008 18 API calls 49746->49749 49747 4923a4 49857 446fac 18 API calls 49747->49857 49752 4923f4 49749->49752 49751 492360 PostMessageA 49854 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49751->49854 49757 4923fc RegisterClipboardFormatA 49752->49757 49753 4923b1 49858 446fac 18 API calls 49753->49858 49860 446fac 18 API calls 49754->49860 49763 49246f 49755->49763 49764 4924b4 49755->49764 49760 447288 5 API calls 49757->49760 49760->49719 49761 4923bc SendNotifyMessageA 49859 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49761->49859 49762 49242d 49861 446fac 18 API calls 49762->49861 49863 446fac 18 API calls 49763->49863 49773 492508 49764->49773 49774 4924c3 49764->49774 49768 49243a 49862 446fac 18 API calls 49768->49862 49769 49247b 49864 446fac 18 API calls 49769->49864 49772 492445 SendMessageA 49777 447288 5 API calls 49772->49777 49782 49256a 49773->49782 49783 492517 49773->49783 49867 446fac 18 API calls 49774->49867 49776 492488 49865 446fac 18 API calls 49776->49865 49777->49727 49778 4924cf 49868 446fac 18 API calls 49778->49868 49781 492493 PostMessageA 49866 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49781->49866 49790 492579 49782->49790 49791 4925f1 49782->49791 49786 447008 18 API calls 49783->49786 49784 4924dc 49869 446fac 18 API calls 49784->49869 49788 492524 49786->49788 49871 42e3a4 SetErrorMode 49788->49871 49789 4924e7 SendNotifyMessageA 49870 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49789->49870 49794 447008 18 API calls 49790->49794 49800 492600 49791->49800 49801 492626 49791->49801 49798 492588 49794->49798 49795 492531 49796 492547 GetLastError 49795->49796 49797 492537 49795->49797 49802 447288 5 API calls 49796->49802 49799 447288 5 API calls 49797->49799 49874 446fac 18 API calls 49798->49874 49803 492545 49799->49803 49879 446fac 18 API calls 49800->49879 49810 492658 49801->49810 49811 492635 49801->49811 49802->49803 49807 447288 5 API calls 49803->49807 49806 49260a FreeLibrary 49880 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49806->49880 49807->49719 49808 49259b GetProcAddress 49812 4925e1 49808->49812 49813 4925a7 49808->49813 49818 492667 49810->49818 49824 49269b 49810->49824 49814 447008 18 API calls 49811->49814 49878 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49812->49878 49875 446fac 18 API calls 49813->49875 49816 492641 49814->49816 49822 492649 CreateMutexA 49816->49822 49881 48c638 18 API calls 49818->49881 49819 4925b3 49876 446fac 18 API calls 49819->49876 49822->49719 49823 4925c0 49827 447288 5 API calls 49823->49827 49824->49719 49883 48c638 18 API calls 49824->49883 49826 492673 49828 492684 OemToCharBuffA 49826->49828 49829 4925d1 49827->49829 49882 48c650 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49828->49882 49877 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49829->49877 49832 4926b6 49833 4926c7 CharToOemBuffA 49832->49833 49884 48c650 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49833->49884 49836 447010 49835->49836 49889 436088 49836->49889 49838 44702f 49838->49709 49840 447290 49839->49840 49943 4363f0 VariantClear 49840->49943 49842 4472b3 49843 4472ca 49842->49843 49944 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49842->49944 49843->49719 49845->49704 49846->49722 49847->49729 49848->49733 49849->49741 49850->49730 49851->49737 49852->49743 49853->49751 49854->49727 49855->49739 49856->49747 49857->49753 49858->49761 49859->49719 49860->49762 49861->49768 49862->49772 49863->49769 49864->49776 49865->49781 49866->49727 49867->49778 49868->49784 49869->49789 49870->49719 49945 403738 49871->49945 49874->49808 49875->49819 49876->49823 49877->49727 49878->49727 49879->49806 49880->49719 49881->49826 49882->49719 49883->49832 49884->49719 49887 403426 49885->49887 49886 40344b 49887->49886 49888 402660 4 API calls 49887->49888 49888->49887 49890 436094 49889->49890 49906 4360b6 49889->49906 49890->49906 49909 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49890->49909 49891 436139 49918 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49891->49918 49893 436121 49913 403494 49893->49913 49894 436109 49898 403510 4 API calls 49894->49898 49895 4360fd 49910 403510 49895->49910 49896 43612d 49917 4040e8 18 API calls 49896->49917 49903 436112 49898->49903 49902 43614a 49902->49838 49903->49838 49904 436115 49904->49838 49906->49891 49906->49893 49906->49894 49906->49895 49906->49896 49906->49904 49907 436136 49907->49838 49909->49906 49919 4034e0 49910->49919 49915 403498 49913->49915 49914 4034ba 49914->49838 49915->49914 49916 402660 4 API calls 49915->49916 49916->49914 49917->49907 49918->49902 49924 4034bc 49919->49924 49922 4034f0 49929 403400 49922->49929 49925 4034c0 49924->49925 49926 4034dc 49924->49926 49933 402648 49925->49933 49926->49922 49928 4034c9 49928->49922 49930 403406 49929->49930 49931 40341f 49929->49931 49930->49931 49938 402660 49930->49938 49931->49838 49934 40264c 49933->49934 49935 402656 49933->49935 49934->49935 49937 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49934->49937 49935->49928 49935->49935 49937->49935 49939 402664 49938->49939 49941 40266e 49938->49941 49939->49941 49942 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49939->49942 49941->49931 49942->49941 49943->49842 49944->49843 49946 40373c LoadLibraryA 49945->49946 49946->49795 49947 402584 49948 402598 49947->49948 49949 4025ab 49947->49949 49977 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 49948->49977 49950 4025c2 RtlEnterCriticalSection 49949->49950 49951 4025cc 49949->49951 49950->49951 49963 4023b4 13 API calls 49951->49963 49953 40259d 49953->49949 49955 4025a1 49953->49955 49956 4025d9 49959 402635 49956->49959 49960 40262b RtlLeaveCriticalSection 49956->49960 49957 4025d5 49957->49956 49964 402088 49957->49964 49960->49959 49961 4025e5 49961->49956 49978 402210 9 API calls 49961->49978 49963->49957 49965 40209c 49964->49965 49966 4020af 49964->49966 49985 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 49965->49985 49968 4020c6 RtlEnterCriticalSection 49966->49968 49971 4020d0 49966->49971 49968->49971 49969 4020a1 49969->49966 49970 4020a5 49969->49970 49974 402106 49970->49974 49971->49974 49979 401f94 49971->49979 49974->49961 49975 4021f1 RtlLeaveCriticalSection 49976 4021fb 49975->49976 49976->49961 49977->49953 49978->49956 49980 401fa4 49979->49980 49981 401fd0 49980->49981 49984 401ff4 49980->49984 49986 401f0c 49980->49986 49981->49984 49991 401db4 49981->49991 49984->49975 49984->49976 49985->49969 49995 40178c 49986->49995 49989 401f29 49989->49980 49992 401dd2 49991->49992 49993 401e02 49991->49993 49992->49984 49993->49992 50018 401d1c 49993->50018 49998 4017a8 49995->49998 49997 4017b2 50014 401678 VirtualAlloc 49997->50014 49998->49997 50000 40180f 49998->50000 50002 401803 49998->50002 50006 4014e4 49998->50006 50015 4013e0 LocalAlloc 49998->50015 50000->49989 50005 401e80 9 API calls 50000->50005 50016 4015c0 VirtualFree 50002->50016 50003 4017be 50003->50000 50005->49989 50007 4014f3 VirtualAlloc 50006->50007 50009 401520 50007->50009 50010 401543 50007->50010 50017 401398 LocalAlloc 50009->50017 50010->49998 50012 40152c 50012->50010 50013 401530 VirtualFree 50012->50013 50013->50010 50014->50003 50015->49998 50016->50000 50017->50012 50019 401d2e 50018->50019 50020 401d51 50019->50020 50021 401d63 50019->50021 50031 401940 50020->50031 50023 401940 3 API calls 50021->50023 50024 401d61 50023->50024 50025 401d79 50024->50025 50041 401bf8 9 API calls 50024->50041 50025->49992 50027 401d88 50028 401da2 50027->50028 50042 401c4c 9 API calls 50027->50042 50043 401454 LocalAlloc 50028->50043 50032 401966 50031->50032 50040 4019bf 50031->50040 50044 40170c 50032->50044 50036 401983 50038 40199a 50036->50038 50049 4015c0 VirtualFree 50036->50049 50038->50040 50050 401454 LocalAlloc 50038->50050 50040->50024 50041->50027 50042->50028 50043->50025 50045 401743 50044->50045 50046 401783 50045->50046 50047 40175d VirtualFree 50045->50047 50048 4013e0 LocalAlloc 50046->50048 50047->50045 50048->50036 50049->50038 50050->50040 55845 48042c 55850 450ff0 55845->55850 55847 480440 55860 47f518 55847->55860 55849 480464 55851 450ffd 55850->55851 55853 451051 55851->55853 55866 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55851->55866 55854 450e74 InterlockedExchange 55853->55854 55855 451063 55854->55855 55857 451079 55855->55857 55867 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55855->55867 55858 4510bc 55857->55858 55868 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55857->55868 55858->55847 55869 40b5c8 55860->55869 55862 47f53a 55863 47f585 55862->55863 55864 4069e4 4 API calls 55862->55864 55873 4768b0 55862->55873 55863->55849 55864->55862 55866->55853 55867->55857 55868->55858 55871 40b5d3 55869->55871 55870 40b5f3 55870->55862 55871->55870 55889 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55871->55889 55881 4768e1 55873->55881 55883 47692a 55873->55883 55874 476975 55890 451280 55874->55890 55876 451280 21 API calls 55876->55883 55877 4038a4 4 API calls 55877->55881 55878 47698c 55879 403420 4 API calls 55878->55879 55882 4769a6 55879->55882 55880 4038a4 4 API calls 55880->55883 55881->55877 55881->55883 55884 403744 4 API calls 55881->55884 55885 403450 4 API calls 55881->55885 55888 451280 21 API calls 55881->55888 55882->55862 55883->55874 55883->55876 55883->55880 55886 403744 4 API calls 55883->55886 55887 403450 4 API calls 55883->55887 55884->55881 55885->55881 55886->55883 55887->55883 55888->55881 55889->55870 55891 45129b 55890->55891 55895 451290 55890->55895 55896 451224 21 API calls 55891->55896 55893 4512a6 55893->55895 55897 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55893->55897 55895->55878 55896->55893 55897->55895 55898 41ee64 55899 41ee73 IsWindowVisible 55898->55899 55900 41eea9 55898->55900 55899->55900 55901 41ee7d IsWindowEnabled 55899->55901 55901->55900 55902 41ee87 55901->55902 55903 402648 4 API calls 55902->55903 55904 41ee91 EnableWindow 55903->55904 55904->55900 55905 41fb68 55906 41fb71 55905->55906 55909 41fe0c 55906->55909 55908 41fb7e 55910 41fefe 55909->55910 55911 41fe23 55909->55911 55910->55908 55911->55910 55930 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 55911->55930 55913 41fe59 55914 41fe83 55913->55914 55915 41fe5d 55913->55915 55940 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 55914->55940 55931 41fbac 55915->55931 55918 41fe91 55920 41fe95 55918->55920 55921 41febb 55918->55921 55924 41fbac 10 API calls 55920->55924 55925 41fbac 10 API calls 55921->55925 55922 41fbac 10 API calls 55923 41fe81 55922->55923 55923->55908 55926 41fea7 55924->55926 55927 41fecd 55925->55927 55928 41fbac 10 API calls 55926->55928 55929 41fbac 10 API calls 55927->55929 55928->55923 55929->55923 55930->55913 55932 41fbc7 55931->55932 55933 41fbdd 55932->55933 55934 41f94c 4 API calls 55932->55934 55941 41f94c 55933->55941 55934->55933 55936 41fc25 55937 41fc48 SetScrollInfo 55936->55937 55949 41faac 55937->55949 55940->55918 55942 4181f0 55941->55942 55943 41f969 GetWindowLongA 55942->55943 55944 41f9a6 55943->55944 55945 41f986 55943->55945 55961 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 55944->55961 55960 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 55945->55960 55948 41f992 55948->55936 55950 41faba 55949->55950 55951 41fac2 55949->55951 55950->55922 55952 41fb01 55951->55952 55953 41faf1 55951->55953 55959 41faff 55951->55959 55963 417e58 IsWindowVisible ScrollWindow SetWindowPos 55952->55963 55962 417e58 IsWindowVisible ScrollWindow SetWindowPos 55953->55962 55954 41fb41 GetScrollPos 55954->55950 55957 41fb4c 55954->55957 55958 41fb5b SetScrollPos 55957->55958 55958->55950 55959->55954 55960->55948 55961->55948 55962->55959 55963->55959 55964 4205a8 55965 4205bb 55964->55965 55985 415b40 55965->55985 55967 420702 55968 420719 55967->55968 55992 4146e4 KiUserCallbackDispatcher 55967->55992 55972 420730 55968->55972 55993 414728 KiUserCallbackDispatcher 55968->55993 55969 420661 55990 420858 20 API calls 55969->55990 55970 4205f6 55970->55967 55970->55969 55978 420652 MulDiv 55970->55978 55975 420752 55972->55975 55994 420070 12 API calls 55972->55994 55976 42067a 55976->55967 55991 420070 12 API calls 55976->55991 55989 41a314 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 55978->55989 55981 420697 55982 4206b3 MulDiv 55981->55982 55983 4206d6 55981->55983 55982->55983 55983->55967 55984 4206df MulDiv 55983->55984 55984->55967 55986 415b52 55985->55986 55995 414480 55986->55995 55988 415b6a 55988->55970 55989->55969 55990->55976 55991->55981 55992->55968 55993->55972 55994->55975 55996 41449a 55995->55996 55999 410658 55996->55999 55998 4144b0 55998->55988 56002 40dea4 55999->56002 56001 41065e 56001->55998 56003 40df06 56002->56003 56004 40deb7 56002->56004 56009 40df14 56003->56009 56007 40df14 19 API calls 56004->56007 56008 40dee1 56007->56008 56008->56001 56010 40df24 56009->56010 56012 40df3a 56010->56012 56021 40e29c 56010->56021 56037 40d7e0 56010->56037 56040 40e14c 56012->56040 56015 40d7e0 5 API calls 56016 40df42 56015->56016 56016->56015 56017 40dfae 56016->56017 56043 40dd60 56016->56043 56018 40e14c 5 API calls 56017->56018 56020 40df10 56018->56020 56020->56001 56057 40eb6c 56021->56057 56023 403778 4 API calls 56025 40e2d7 56023->56025 56024 40e38d 56026 40e3b7 56024->56026 56027 40e3a8 56024->56027 56025->56023 56025->56024 56120 40d974 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56025->56120 56121 40e280 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56025->56121 56117 40bc24 56026->56117 56066 40e5c0 56027->56066 56032 40e3b5 56034 403400 4 API calls 56032->56034 56035 40e45c 56034->56035 56035->56010 56038 40ec08 5 API calls 56037->56038 56039 40d7ea 56038->56039 56039->56010 56154 40d6bc 56040->56154 56163 40e154 56043->56163 56046 40eb6c 5 API calls 56047 40dd9e 56046->56047 56048 40eb6c 5 API calls 56047->56048 56049 40dda9 56048->56049 56050 40ddc4 56049->56050 56051 40ddbb 56049->56051 56056 40ddc1 56049->56056 56170 40dbd8 56050->56170 56173 40dcc8 19 API calls 56051->56173 56054 403420 4 API calls 56055 40de8f 56054->56055 56055->56016 56056->56054 56123 40d980 56057->56123 56060 4034e0 4 API calls 56061 40eb8f 56060->56061 56062 403744 4 API calls 56061->56062 56063 40eb96 56062->56063 56064 40d980 5 API calls 56063->56064 56065 40eba4 56064->56065 56065->56025 56067 40e5f6 56066->56067 56068 40e5ec 56066->56068 56070 40e711 56067->56070 56071 40e695 56067->56071 56072 40e6f6 56067->56072 56073 40e776 56067->56073 56074 40e638 56067->56074 56075 40e6d9 56067->56075 56076 40e67a 56067->56076 56077 40e6bb 56067->56077 56110 40e65c 56067->56110 56128 40d640 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56068->56128 56078 40d964 5 API calls 56070->56078 56136 40e024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56071->56136 56141 40ea90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56072->56141 56082 40d964 5 API calls 56073->56082 56129 40d964 56074->56129 56139 40eba8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56075->56139 56135 40da18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56076->56135 56138 40dfe4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56077->56138 56087 40e719 56078->56087 56081 403400 4 API calls 56088 40e7eb 56081->56088 56089 40e77e 56082->56089 56093 40e723 56087->56093 56094 40e71d 56087->56094 56088->56032 56095 40e782 56089->56095 56096 40e79b 56089->56096 56090 40e6e4 56140 409f38 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56090->56140 56092 40e6a0 56137 40d670 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56092->56137 56142 40ec08 56093->56142 56102 40e721 56094->56102 56103 40e73c 56094->56103 56105 40ec08 5 API calls 56095->56105 56148 40e024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56096->56148 56098 40e661 56134 40e0d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56098->56134 56099 40e644 56132 40e024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56099->56132 56146 40e024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56102->56146 56108 40ec08 5 API calls 56103->56108 56105->56110 56112 40e744 56108->56112 56109 40e64f 56133 40e46c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56109->56133 56110->56081 56145 40daa0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56112->56145 56114 40e766 56147 40e4d4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56114->56147 56149 40bbd0 56117->56149 56120->56025 56121->56025 56122 40d974 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56122->56032 56124 40d98b 56123->56124 56125 40d9c5 56124->56125 56127 40d9cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56124->56127 56125->56060 56127->56124 56128->56067 56130 40ec08 5 API calls 56129->56130 56131 40d96e 56130->56131 56131->56098 56131->56099 56132->56109 56133->56110 56134->56110 56135->56110 56136->56092 56137->56110 56138->56110 56139->56090 56140->56110 56141->56110 56143 40d980 5 API calls 56142->56143 56144 40ec15 56143->56144 56144->56110 56145->56110 56146->56114 56147->56110 56148->56110 56150 40bbe2 56149->56150 56152 40bc07 56149->56152 56150->56152 56153 40bc84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56150->56153 56152->56032 56152->56122 56153->56152 56155 40ec08 5 API calls 56154->56155 56156 40d6c9 56155->56156 56157 40d6dc 56156->56157 56161 40ed0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56156->56161 56157->56016 56159 40d6d7 56162 40d658 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56159->56162 56161->56159 56162->56157 56164 40d964 5 API calls 56163->56164 56165 40e16b 56164->56165 56166 40ec08 5 API calls 56165->56166 56169 40dd93 56165->56169 56167 40e178 56166->56167 56167->56169 56174 40e0d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56167->56174 56169->56046 56175 40ad7c 19 API calls 56170->56175 56172 40dc00 56172->56056 56173->56056 56174->56169 56175->56172 50051 491444 50052 49147e 50051->50052 50053 49148a 50052->50053 50054 491480 50052->50054 50056 491499 50053->50056 50057 4914c2 50053->50057 50247 4090a0 MessageBeep 50054->50247 50059 447008 18 API calls 50056->50059 50062 4914fa 50057->50062 50063 4914d1 50057->50063 50058 403420 4 API calls 50060 491ad6 50058->50060 50061 4914a6 50059->50061 50064 403400 4 API calls 50060->50064 50248 406bb8 50061->50248 50072 491509 50062->50072 50073 491532 50062->50073 50066 447008 18 API calls 50063->50066 50067 491ade 50064->50067 50069 4914de 50066->50069 50256 406c08 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50069->50256 50075 447008 18 API calls 50072->50075 50078 49155a 50073->50078 50079 491541 50073->50079 50074 4914e9 50257 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50074->50257 50077 491516 50075->50077 50258 406c3c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50077->50258 50086 491569 50078->50086 50087 49158e 50078->50087 50260 407288 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 50079->50260 50082 491521 50259 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50082->50259 50083 491549 50261 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50083->50261 50088 447008 18 API calls 50086->50088 50090 49159d 50087->50090 50094 4915c6 50087->50094 50089 491576 50088->50089 50262 4072b0 50089->50262 50093 447008 18 API calls 50090->50093 50092 49157e 50265 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50092->50265 50096 4915aa 50093->50096 50097 4915fe 50094->50097 50098 4915d5 50094->50098 50266 42c814 50096->50266 50106 49164a 50097->50106 50107 49160d 50097->50107 50101 447008 18 API calls 50098->50101 50099 491485 50099->50058 50103 4915e2 50101->50103 50276 407200 8 API calls 50103->50276 50112 491659 50106->50112 50113 491682 50106->50113 50109 447008 18 API calls 50107->50109 50108 4915ed 50277 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50108->50277 50111 49161c 50109->50111 50114 447008 18 API calls 50111->50114 50115 447008 18 API calls 50112->50115 50119 4916ba 50113->50119 50120 491691 50113->50120 50116 49162d 50114->50116 50117 491666 50115->50117 50278 491148 8 API calls 50116->50278 50280 42c8b4 50117->50280 50129 4916c9 50119->50129 50130 4916f2 50119->50130 50123 447008 18 API calls 50120->50123 50121 491639 50279 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50121->50279 50126 49169e 50123->50126 50286 42c8dc 50126->50286 50132 447008 18 API calls 50129->50132 50135 49172a 50130->50135 50136 491701 50130->50136 50134 4916d6 50132->50134 50295 42c90c LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 50134->50295 50143 491739 50135->50143 50144 491762 50135->50144 50138 447008 18 API calls 50136->50138 50140 49170e 50138->50140 50139 4916e1 50296 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50139->50296 50297 42c93c 50140->50297 50146 447008 18 API calls 50143->50146 50150 4917ae 50144->50150 50151 491771 50144->50151 50147 491746 50146->50147 50303 42c964 50147->50303 50156 4917bd 50150->50156 50157 491800 50150->50157 50153 447008 18 API calls 50151->50153 50155 491780 50153->50155 50158 447008 18 API calls 50155->50158 50159 447008 18 API calls 50156->50159 50163 49180f 50157->50163 50164 491873 50157->50164 50160 491791 50158->50160 50161 4917d0 50159->50161 50309 42c508 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 50160->50309 50165 447008 18 API calls 50161->50165 50167 447008 18 API calls 50163->50167 50172 4918b2 50164->50172 50173 491882 50164->50173 50168 4917e1 50165->50168 50166 49179d 50310 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50166->50310 50170 49181c 50167->50170 50311 491340 12 API calls 50168->50311 50239 42c618 7 API calls 50170->50239 50184 4918f1 50172->50184 50185 4918c1 50172->50185 50176 447008 18 API calls 50173->50176 50175 4917ef 50312 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50175->50312 50179 49188f 50176->50179 50177 49182a 50180 49182e 50177->50180 50181 491863 50177->50181 50315 4528f4 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 50179->50315 50183 447008 18 API calls 50180->50183 50314 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50181->50314 50188 49183d 50183->50188 50193 491930 50184->50193 50194 491900 50184->50194 50189 447008 18 API calls 50185->50189 50187 49189c 50316 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50187->50316 50240 452c6c 50188->50240 50192 4918ce 50189->50192 50317 45275c 50192->50317 50203 491978 50193->50203 50204 49193f 50193->50204 50199 447008 18 API calls 50194->50199 50195 4918ad 50195->50099 50196 49184d 50313 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50196->50313 50198 4918db 50324 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50198->50324 50202 49190d 50199->50202 50325 452dfc Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 50202->50325 50211 4919c0 50203->50211 50212 491987 50203->50212 50206 447008 18 API calls 50204->50206 50208 49194e 50206->50208 50207 49191a 50326 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50207->50326 50210 447008 18 API calls 50208->50210 50213 49195f 50210->50213 50216 4919d3 50211->50216 50223 491a89 50211->50223 50214 447008 18 API calls 50212->50214 50219 447288 5 API calls 50213->50219 50215 491996 50214->50215 50217 447008 18 API calls 50215->50217 50220 447008 18 API calls 50216->50220 50218 4919a7 50217->50218 50224 447288 5 API calls 50218->50224 50219->50099 50221 491a00 50220->50221 50222 447008 18 API calls 50221->50222 50225 491a17 50222->50225 50223->50099 50330 446fac 18 API calls 50223->50330 50224->50099 50327 407de4 7 API calls 50225->50327 50227 491aa2 50331 42e8d8 FormatMessageA 50227->50331 50232 491a39 50233 447008 18 API calls 50232->50233 50234 491a4d 50233->50234 50328 408510 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50234->50328 50236 491a58 50329 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50236->50329 50238 491a64 50239->50177 50336 452710 50240->50336 50242 452c89 50242->50196 50243 452c85 50243->50242 50244 452cad MoveFileA GetLastError 50243->50244 50342 45274c 50244->50342 50247->50099 50249 406bc7 50248->50249 50250 406be0 50249->50250 50251 406be9 50249->50251 50252 403400 4 API calls 50250->50252 50345 403778 50251->50345 50253 406be7 50252->50253 50255 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50253->50255 50255->50099 50256->50074 50257->50099 50258->50082 50259->50099 50260->50083 50261->50099 50263 403738 50262->50263 50264 4072ba SetCurrentDirectoryA 50263->50264 50264->50092 50265->50099 50267 403738 50266->50267 50268 42c837 GetFullPathNameA 50267->50268 50269 42c843 50268->50269 50270 42c85a 50268->50270 50269->50270 50271 42c84b 50269->50271 50272 403494 4 API calls 50270->50272 50274 4034e0 4 API calls 50271->50274 50273 42c858 50272->50273 50275 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50273->50275 50274->50273 50275->50099 50276->50108 50277->50099 50278->50121 50279->50099 50352 42c7ac 50280->50352 50283 403778 4 API calls 50284 42c8d5 50283->50284 50285 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50284->50285 50285->50099 50367 42c684 50286->50367 50289 42c8f0 50291 403400 4 API calls 50289->50291 50290 42c8f9 50292 403778 4 API calls 50290->50292 50293 42c8f7 50291->50293 50292->50293 50294 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50293->50294 50294->50099 50295->50139 50296->50099 50298 42c7ac IsDBCSLeadByte 50297->50298 50299 42c94c 50298->50299 50300 403778 4 API calls 50299->50300 50301 42c95e 50300->50301 50302 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50301->50302 50302->50099 50304 42c7ac IsDBCSLeadByte 50303->50304 50305 42c974 50304->50305 50306 403778 4 API calls 50305->50306 50307 42c985 50306->50307 50308 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50307->50308 50308->50099 50309->50166 50310->50099 50311->50175 50312->50099 50313->50099 50314->50099 50315->50187 50316->50195 50318 452710 2 API calls 50317->50318 50319 452772 50318->50319 50320 452776 50319->50320 50321 452794 CreateDirectoryA GetLastError 50319->50321 50320->50198 50322 45274c Wow64RevertWow64FsRedirection 50321->50322 50323 4527ba 50322->50323 50323->50198 50324->50099 50325->50207 50326->50099 50327->50232 50328->50236 50329->50238 50330->50227 50332 42e8fe 50331->50332 50333 4034e0 4 API calls 50332->50333 50334 42e91b 50333->50334 50335 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50334->50335 50335->50099 50337 45271e 50336->50337 50338 45271a 50336->50338 50339 452727 Wow64DisableWow64FsRedirection 50337->50339 50340 452740 SetLastError 50337->50340 50338->50243 50341 45273b 50339->50341 50340->50341 50341->50243 50343 452751 Wow64RevertWow64FsRedirection 50342->50343 50344 45275b 50342->50344 50343->50344 50344->50196 50346 4037aa 50345->50346 50347 40377d 50345->50347 50348 403400 4 API calls 50346->50348 50347->50346 50349 403791 50347->50349 50351 4037a0 50348->50351 50350 4034e0 4 API calls 50349->50350 50350->50351 50351->50253 50357 42c68c 50352->50357 50354 42c80b 50354->50283 50355 42c7c1 50355->50354 50364 42c454 IsDBCSLeadByte 50355->50364 50358 42c69d 50357->50358 50359 42c701 50358->50359 50363 42c6bb 50358->50363 50361 42c6fc 50359->50361 50366 42c454 IsDBCSLeadByte 50359->50366 50361->50355 50363->50361 50365 42c454 IsDBCSLeadByte 50363->50365 50364->50355 50365->50363 50366->50361 50368 42c68c IsDBCSLeadByte 50367->50368 50369 42c68b 50368->50369 50369->50289 50369->50290 50370 41364c SetWindowLongA GetWindowLongA 50371 4136a9 SetPropA SetPropA 50370->50371 50372 41368b GetWindowLongA 50370->50372 50376 41f3ac 50371->50376 50372->50371 50373 41369a SetWindowLongA 50372->50373 50373->50371 50381 415280 50376->50381 50388 423c1c 50376->50388 50482 423a94 50376->50482 50377 4136f9 50382 41528d 50381->50382 50383 4152f3 50382->50383 50384 4152e8 50382->50384 50387 4152f1 50382->50387 50489 424b9c 13 API calls 50383->50489 50384->50387 50490 41506c 46 API calls 50384->50490 50387->50377 50404 423c52 50388->50404 50391 423cfc 50393 423d03 50391->50393 50394 423d37 50391->50394 50392 423c9d 50395 423ca3 50392->50395 50396 423d60 50392->50396 50397 423d09 50393->50397 50440 423fc1 50393->50440 50399 423d42 50394->50399 50400 4240aa IsIconic 50394->50400 50398 423ca8 50395->50398 50414 423cd5 50395->50414 50401 423d72 50396->50401 50402 423d7b 50396->50402 50406 423f23 SendMessageA 50397->50406 50407 423d17 50397->50407 50410 423e06 50398->50410 50411 423cae 50398->50411 50412 4240e6 50399->50412 50413 423d4b 50399->50413 50408 423c73 50400->50408 50409 4240be GetFocus 50400->50409 50403 423d88 50401->50403 50415 423d79 50401->50415 50500 4241a4 11 API calls 50402->50500 50501 4241ec IsIconic 50403->50501 50404->50408 50491 423b78 50404->50491 50406->50408 50407->50408 50441 423cd0 50407->50441 50461 423f66 50407->50461 50408->50377 50409->50408 50417 4240cf 50409->50417 50513 423b94 NtdllDefWindowProc_A 50410->50513 50418 423cb7 50411->50418 50419 423e2e PostMessageA 50411->50419 50535 424860 WinHelpA PostMessageA 50412->50535 50422 4240fd 50413->50422 50413->50441 50414->50408 50431 423cee 50414->50431 50432 423e4f 50414->50432 50509 423b94 NtdllDefWindowProc_A 50415->50509 50534 41f004 GetCurrentThreadId 73EB5940 50417->50534 50426 423cc0 50418->50426 50427 423eb5 50418->50427 50519 423b94 NtdllDefWindowProc_A 50419->50519 50429 424106 50422->50429 50430 42411b 50422->50430 50435 423cc9 50426->50435 50436 423dde IsIconic 50426->50436 50437 423ebe 50427->50437 50438 423eef 50427->50438 50428 423e49 50428->50408 50536 4244e4 50429->50536 50542 42453c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 50430->50542 50431->50441 50442 423e1b 50431->50442 50495 423b94 NtdllDefWindowProc_A 50432->50495 50434 4240d6 50434->50408 50445 4240de SetFocus 50434->50445 50435->50441 50446 423da1 50435->50446 50448 423dfa 50436->50448 50449 423dee 50436->50449 50521 423b24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50437->50521 50496 423b94 NtdllDefWindowProc_A 50438->50496 50440->50408 50456 423fe7 IsWindowEnabled 50440->50456 50441->50408 50499 423b94 NtdllDefWindowProc_A 50441->50499 50514 424188 50442->50514 50444 423e55 50453 423e93 50444->50453 50454 423e71 50444->50454 50445->50408 50446->50408 50510 422c5c ShowWindow PostMessageA PostQuitMessage 50446->50510 50512 423b94 NtdllDefWindowProc_A 50448->50512 50511 423bd0 15 API calls 50449->50511 50462 423a94 6 API calls 50453->50462 50520 423b24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50454->50520 50455 423ec6 50464 423ed8 50455->50464 50522 41ef68 50455->50522 50456->50408 50465 423ff5 50456->50465 50459 423ef5 50466 423f0d 50459->50466 50497 41eeb4 GetCurrentThreadId 73EB5940 50459->50497 50461->50408 50468 423f88 IsWindowEnabled 50461->50468 50469 423e9b PostMessageA 50462->50469 50528 423b94 NtdllDefWindowProc_A 50464->50528 50475 423ffc IsWindowVisible 50465->50475 50473 423a94 6 API calls 50466->50473 50467 423e79 PostMessageA 50467->50408 50468->50408 50474 423f96 50468->50474 50469->50408 50473->50408 50529 412320 7 API calls 50474->50529 50475->50408 50477 42400a GetFocus 50475->50477 50530 4181f0 50477->50530 50479 42401f SetFocus 50532 415250 50479->50532 50483 423b1d 50482->50483 50484 423aa4 50482->50484 50483->50377 50484->50483 50485 423aaa EnumWindows 50484->50485 50485->50483 50486 423ac6 GetWindow GetWindowLongA 50485->50486 50646 423a2c GetWindow 50485->50646 50487 423ae5 50486->50487 50487->50483 50488 423b11 SetWindowPos 50487->50488 50488->50483 50488->50487 50489->50387 50490->50387 50492 423b82 50491->50492 50493 423b8d 50491->50493 50492->50493 50543 408728 GetSystemDefaultLCID 50492->50543 50493->50391 50493->50392 50495->50444 50496->50459 50498 41ef39 50497->50498 50498->50466 50499->50408 50500->50408 50502 424233 50501->50502 50503 4241fd SetActiveWindow 50501->50503 50502->50408 50618 42365c 50503->50618 50507 42421a 50507->50502 50508 42422d SetFocus 50507->50508 50508->50502 50509->50408 50510->50408 50511->50408 50512->50408 50513->50408 50631 41db40 50514->50631 50517 4241a0 50517->50408 50518 424194 LoadIconA 50518->50517 50519->50428 50520->50467 50521->50455 50523 41ef70 IsWindow 50522->50523 50524 41ef9c 50522->50524 50525 41ef7f EnableWindow 50523->50525 50527 41ef8a 50523->50527 50524->50464 50525->50527 50526 402660 4 API calls 50526->50527 50527->50523 50527->50524 50527->50526 50528->50408 50529->50408 50531 4181fa 50530->50531 50531->50479 50533 41526b SetFocus 50532->50533 50533->50408 50534->50434 50535->50428 50537 4244f0 50536->50537 50538 42450a 50536->50538 50539 42451f 50537->50539 50540 4244f7 SendMessageA 50537->50540 50541 402648 4 API calls 50538->50541 50539->50408 50540->50539 50541->50539 50542->50428 50598 408570 GetLocaleInfoA 50543->50598 50548 408570 5 API calls 50549 40877d 50548->50549 50550 408570 5 API calls 50549->50550 50551 4087a1 50550->50551 50610 4085bc GetLocaleInfoA 50551->50610 50554 4085bc GetLocaleInfoA 50555 4087d1 50554->50555 50556 408570 5 API calls 50555->50556 50557 4087eb 50556->50557 50558 4085bc GetLocaleInfoA 50557->50558 50559 408808 50558->50559 50560 408570 5 API calls 50559->50560 50561 408822 50560->50561 50562 403450 4 API calls 50561->50562 50563 40882f 50562->50563 50564 408570 5 API calls 50563->50564 50565 408844 50564->50565 50566 403450 4 API calls 50565->50566 50567 408851 50566->50567 50568 4085bc GetLocaleInfoA 50567->50568 50569 40885f 50568->50569 50570 408570 5 API calls 50569->50570 50571 408879 50570->50571 50572 403450 4 API calls 50571->50572 50573 408886 50572->50573 50574 408570 5 API calls 50573->50574 50575 40889b 50574->50575 50576 403450 4 API calls 50575->50576 50577 4088a8 50576->50577 50578 408570 5 API calls 50577->50578 50579 4088bd 50578->50579 50580 4088da 50579->50580 50581 4088cb 50579->50581 50583 403494 4 API calls 50580->50583 50582 403494 4 API calls 50581->50582 50599 408597 50598->50599 50600 4085a9 50598->50600 50601 4034e0 4 API calls 50599->50601 50602 403494 4 API calls 50600->50602 50603 4085a7 50601->50603 50602->50603 50604 403450 50603->50604 50605 403454 50604->50605 50608 403464 50604->50608 50607 4034bc 4 API calls 50605->50607 50605->50608 50606 403490 50606->50548 50607->50608 50608->50606 50609 402660 4 API calls 50608->50609 50609->50606 50611 4085d8 50610->50611 50611->50554 50627 423608 SystemParametersInfoA 50618->50627 50621 423675 ShowWindow 50623 423680 50621->50623 50624 423687 50621->50624 50630 423638 SystemParametersInfoA 50623->50630 50626 423b24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50624->50626 50626->50507 50628 423626 50627->50628 50628->50621 50629 423638 SystemParametersInfoA 50628->50629 50629->50621 50630->50624 50634 41db64 50631->50634 50635 41db4a 50634->50635 50636 41db71 50634->50636 50635->50517 50635->50518 50636->50635 50643 40cc80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50636->50643 50638 41db8e 50638->50635 50639 41dba8 50638->50639 50640 41db9b 50638->50640 50644 41bd9c 11 API calls 50639->50644 50645 41b398 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50640->50645 50643->50638 50644->50635 50645->50635 50647 423a4d GetWindowLongA 50646->50647 50648 423a59 50646->50648 50647->50648 50649 4804c6 50650 4804cf 50649->50650 50651 4804fa 50649->50651 50650->50651 50652 4804ec 50650->50652 50654 480539 50651->50654 51063 47efb0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50651->51063 51061 476b6c 188 API calls 50652->51061 50655 48055d 50654->50655 50659 480550 50654->50659 50660 480552 50654->50660 50662 480599 50655->50662 50663 48057b 50655->50663 50657 4804f1 50657->50651 51062 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50657->51062 50658 48052c 51064 47f018 42 API calls 50658->51064 50666 47eff4 42 API calls 50659->50666 51065 47f088 42 API calls 50660->51065 51068 47ee48 24 API calls 50662->51068 50667 480590 50663->50667 51066 47f018 42 API calls 50663->51066 50666->50655 51067 47ee48 24 API calls 50667->51067 50669 480597 50672 4805a9 50669->50672 50673 4805af 50669->50673 50674 4805ad 50672->50674 50775 47eff4 50672->50775 50673->50674 50675 47eff4 42 API calls 50673->50675 50780 47c3a4 50674->50780 50675->50674 51137 47eadc 42 API calls 50775->51137 50777 47f00f 51138 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50777->51138 51139 42d8a8 GetWindowsDirectoryA 50780->51139 50782 47c3c2 50783 403450 4 API calls 50782->50783 50784 47c3cf 50783->50784 51141 42d8d4 GetSystemDirectoryA 50784->51141 50786 47c3d7 50787 403450 4 API calls 50786->50787 50788 47c3e4 50787->50788 51143 42d900 50788->51143 50790 47c3ec 50791 403450 4 API calls 50790->50791 50792 47c3f9 50791->50792 50793 47c402 50792->50793 50794 47c41e 50792->50794 51199 42d218 50793->51199 50795 403400 4 API calls 50794->50795 50797 47c41c 50795->50797 50799 47c463 50797->50799 50801 42c8dc 5 API calls 50797->50801 51147 47c22c 50799->51147 50800 403450 4 API calls 50800->50797 50803 47c43e 50801->50803 50805 403450 4 API calls 50803->50805 50807 47c44b 50805->50807 50806 403450 4 API calls 50808 47c47f 50806->50808 50807->50799 50812 403450 4 API calls 50807->50812 50809 47c49d 50808->50809 50810 4035c0 4 API calls 50808->50810 50811 47c22c 8 API calls 50809->50811 50810->50809 50813 47c4ac 50811->50813 50812->50799 50814 403450 4 API calls 50813->50814 50815 47c4b9 50814->50815 50816 47c4e1 50815->50816 50817 42c40c 5 API calls 50815->50817 50818 47c548 50816->50818 50822 47c22c 8 API calls 50816->50822 50819 47c4cf 50817->50819 50820 47c572 50818->50820 50821 47c551 50818->50821 50824 4035c0 4 API calls 50819->50824 51158 42c40c 50820->51158 50825 42c40c 5 API calls 50821->50825 50826 47c4f9 50822->50826 50824->50816 50828 47c55e 50825->50828 50829 403450 4 API calls 50826->50829 50832 47c506 50829->50832 51061->50657 51063->50658 51064->50654 51065->50655 51066->50667 51067->50669 51068->50669 51137->50777 51140 42d8c9 51139->51140 51140->50782 51142 42d8f5 51141->51142 51142->50786 51144 403400 4 API calls 51143->51144 51145 42d910 GetModuleHandleA GetProcAddress 51144->51145 51146 42d929 51145->51146 51146->50790 51209 42de2c 51147->51209 51149 47c252 51150 47c256 51149->51150 51151 47c278 51149->51151 51212 42dd5c 51150->51212 51152 403400 4 API calls 51151->51152 51154 47c27f 51152->51154 51154->50806 51156 47c26d RegCloseKey 51156->51154 51157 403400 4 API calls 51157->51156 51159 42c416 51158->51159 51160 42c439 51158->51160 51200 4038a4 4 API calls 51199->51200 51202 42d22b 51200->51202 51201 42d242 GetEnvironmentVariableA 51201->51202 51203 42d24e 51201->51203 51202->51201 51206 42d255 51202->51206 51247 42dbe0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51202->51247 51204 403400 4 API calls 51203->51204 51204->51206 51206->50800 51210 42de37 51209->51210 51211 42de3d RegOpenKeyExA 51209->51211 51210->51211 51211->51149 51215 42dc10 51212->51215 51216 42dc36 RegQueryValueExA 51215->51216 51221 42dc59 51216->51221 51229 42dc7b 51216->51229 51217 403400 4 API calls 51219 42dd47 51217->51219 51218 42dc73 51220 403400 4 API calls 51218->51220 51219->51156 51219->51157 51220->51229 51221->51218 51222 4034e0 4 API calls 51221->51222 51221->51229 51232 403744 51221->51232 51222->51221 51224 42dcb0 RegQueryValueExA 51224->51216 51225 42dccc 51224->51225 51225->51229 51236 4038a4 51225->51236 51228 403450 4 API calls 51228->51229 51229->51217 51230 403744 4 API calls 51231 42dd20 51230->51231 51231->51228 51233 40374a 51232->51233 51235 40375b 51232->51235 51234 4034bc 4 API calls 51233->51234 51233->51235 51234->51235 51235->51224 51237 4038b1 51236->51237 51243 4038e1 51236->51243 51239 4038da 51237->51239 51241 4038bd 51237->51241 51238 403400 4 API calls 51244 4038cb 51238->51244 51240 4034bc 4 API calls 51239->51240 51240->51243 51245 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51241->51245 51243->51238 51244->51230 51244->51231 51245->51244 51247->51202 53303 46be48 53304 46c254 53303->53304 53305 46be7c 53303->53305 53306 403400 4 API calls 53304->53306 53307 46beb8 53305->53307 53310 46bf14 53305->53310 53311 46bef2 53305->53311 53312 46bf03 53305->53312 53313 46bed0 53305->53313 53314 46bee1 53305->53314 53308 46c293 53306->53308 53307->53304 53389 468fe0 53307->53389 53316 403400 4 API calls 53308->53316 53621 46bdd8 45 API calls 53310->53621 53354 46ba08 53311->53354 53620 46bbc8 67 API calls 53312->53620 53618 46b758 47 API calls 53313->53618 53619 46b8c0 42 API calls 53314->53619 53321 46c29b 53316->53321 53322 46bed6 53322->53304 53322->53307 53323 46bf50 53323->53304 53324 494770 18 API calls 53323->53324 53340 46bf93 53323->53340 53324->53340 53326 414af8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53326->53340 53327 46c0b6 53622 48300c 123 API calls 53327->53622 53330 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53330->53340 53331 42cbd0 6 API calls 53331->53340 53332 46c0d1 53332->53304 53334 46b2a0 23 API calls 53334->53340 53337 46c136 53341 457d58 24 API calls 53337->53341 53338 46c17c 53342 46b2a0 23 API calls 53338->53342 53339 46c18e 53468 46b2a0 53339->53468 53340->53304 53340->53326 53340->53327 53340->53330 53340->53331 53340->53334 53340->53337 53340->53338 53340->53339 53392 468f1c 53340->53392 53400 46b00c 53340->53400 53407 46a26c 53340->53407 53545 482b0c 53340->53545 53631 46b514 19 API calls 53340->53631 53344 46c155 53341->53344 53342->53304 53345 457d58 24 API calls 53344->53345 53345->53338 53346 46c19b 53347 46c1c4 SetActiveWindow 53346->53347 53348 46c1dc 53346->53348 53347->53348 53503 46a60c 53348->53503 53350 46c1ff 53350->53338 53351 46c21a 53350->53351 53623 46b11c 53351->53623 53632 46c6cc 53354->53632 53357 46bb8a 53358 403420 4 API calls 53357->53358 53360 46bba4 53358->53360 53362 403400 4 API calls 53360->53362 53361 46ba56 53363 46bb76 53361->53363 53639 455f70 13 API calls 53361->53639 53365 46bbac 53362->53365 53363->53357 53364 403450 4 API calls 53363->53364 53364->53357 53367 403400 4 API calls 53365->53367 53368 46bbb4 53367->53368 53368->53307 53369 42cd58 7 API calls 53373 46bb12 53369->53373 53370 46bb39 53370->53357 53370->53363 53375 42cd58 7 API calls 53370->53375 53371 46bad9 53371->53357 53371->53369 53371->53370 53372 46ba74 53372->53371 53640 46696c 53372->53640 53373->53370 53377 451444 4 API calls 53373->53377 53378 46bb4f 53375->53378 53380 46bb29 53377->53380 53378->53363 53383 451444 4 API calls 53378->53383 53379 46696c 19 API calls 53381 46bab4 53379->53381 53645 47eadc 42 API calls 53380->53645 53385 451414 4 API calls 53381->53385 53384 46bb66 53383->53384 53646 47eadc 42 API calls 53384->53646 53387 46bac9 53385->53387 53644 47eadc 42 API calls 53387->53644 53390 468f1c 19 API calls 53389->53390 53391 468fef 53390->53391 53391->53323 53393 468f4b 53392->53393 53394 4078fc 19 API calls 53393->53394 53397 468f8c 53393->53397 53395 468f84 53394->53395 53766 453330 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53395->53766 53398 403400 4 API calls 53397->53398 53399 468fa4 53398->53399 53399->53340 53401 46b01d 53400->53401 53402 46b018 53400->53402 53852 469dec 46 API calls 53401->53852 53403 46b01b 53402->53403 53767 46aa78 53402->53767 53403->53340 53405 46b025 53405->53340 53408 403400 4 API calls 53407->53408 53409 46a299 53408->53409 53875 47d9bc 53409->53875 53411 46a2f8 53412 46a315 53411->53412 53413 46a2fc 53411->53413 53414 46a306 53412->53414 53885 494660 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53412->53885 53882 466b6c 53413->53882 53418 46a434 53414->53418 53419 46a49f 53414->53419 53467 46a5a9 53414->53467 53417 46a331 53417->53414 53421 46a339 53417->53421 53422 403494 4 API calls 53418->53422 53423 403494 4 API calls 53419->53423 53420 403420 4 API calls 53424 46a5d3 53420->53424 53425 46b2a0 23 API calls 53421->53425 53426 46a441 53422->53426 53427 46a4ac 53423->53427 53424->53340 53435 46a346 53425->53435 53428 40357c 4 API calls 53426->53428 53429 40357c 4 API calls 53427->53429 53430 46a44e 53428->53430 53431 46a4b9 53429->53431 53432 40357c 4 API calls 53430->53432 53433 40357c 4 API calls 53431->53433 53436 46a45b 53432->53436 53434 46a4c6 53433->53434 53438 40357c 4 API calls 53434->53438 53441 46a387 53435->53441 53442 46a36f SetActiveWindow 53435->53442 53437 40357c 4 API calls 53436->53437 53439 46a468 53437->53439 53440 46a4d3 53438->53440 53443 466b6c 20 API calls 53439->53443 53444 40357c 4 API calls 53440->53444 53886 42f570 53441->53886 53442->53441 53445 46a476 53443->53445 53446 46a4e1 53444->53446 53447 40357c 4 API calls 53445->53447 53448 414b28 4 API calls 53446->53448 53451 46a47f 53447->53451 53458 46a49d 53448->53458 53453 40357c 4 API calls 53451->53453 53456 46a48c 53453->53456 53455 46a3d8 53459 46b11c 21 API calls 53455->53459 53457 414b28 4 API calls 53456->53457 53457->53458 53903 466ea4 53458->53903 53460 46a40a 53459->53460 53460->53340 53461 46a503 53462 414b28 4 API calls 53461->53462 53461->53467 53467->53420 53469 468fe0 19 API calls 53468->53469 53470 46b2b8 53469->53470 53471 46b2da 53470->53471 53472 465638 7 API calls 53470->53472 54022 465638 53471->54022 53472->53471 53476 46b2f2 53477 46b11c 21 API calls 53476->53477 53478 46b32a 53477->53478 53479 414b28 4 API calls 53478->53479 53480 46b33e 53479->53480 53481 46b374 53480->53481 53482 46b34a 53480->53482 53485 46b393 53481->53485 53486 46b3bd 53481->53486 53483 414b28 4 API calls 53482->53483 53484 46b35e 53483->53484 53488 414b28 4 API calls 53484->53488 53489 414b28 4 API calls 53485->53489 53487 414b28 4 API calls 53486->53487 53490 46b3d1 53487->53490 53491 46b372 53488->53491 53492 46b3a7 53489->53492 53493 414b28 4 API calls 53490->53493 54039 46b034 53491->54039 53494 414b28 4 API calls 53492->53494 53493->53491 53494->53491 53498 468fe0 19 API calls 53501 46b46f 53498->53501 53499 46b40f 53499->53498 53500 46b4d2 53500->53346 53501->53500 54044 4946bc 18 API calls 53501->54044 53505 46a637 53503->53505 53504 46a66e 53507 46a7e3 53504->53507 53520 46a682 53504->53520 53505->53504 54064 47dc30 53505->54064 53510 46a817 53507->53510 53516 46a801 53507->53516 53544 46a95a 53507->53544 53508 403400 4 API calls 53512 46a97f 53508->53512 53509 46a7c0 53513 46a7db 53509->53513 53518 402660 4 API calls 53509->53518 53511 414b28 4 API calls 53510->53511 53517 46a815 53511->53517 53512->53350 53513->53350 53514 402660 4 API calls 53514->53520 53515 402648 4 API calls 53515->53520 53521 414b28 4 API calls 53516->53521 54076 495520 MulDiv 53517->54076 53518->53513 53519 46a78c 53523 457d58 24 API calls 53519->53523 53520->53514 53520->53515 53529 46a6f5 53520->53529 53521->53517 53523->53509 53524 46a838 53527 466ea4 11 API calls 53524->53527 53526 457d58 24 API calls 53526->53529 53528 46a86c 53527->53528 53529->53509 53529->53519 53529->53526 53531 40357c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53529->53531 54075 403ba4 7 API calls 53529->54075 53531->53529 53544->53508 53546 46c6cc 48 API calls 53545->53546 53547 482b4f 53546->53547 53548 482b58 53547->53548 54292 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53547->54292 53550 414af8 4 API calls 53548->53550 53551 482b68 53550->53551 53552 403450 4 API calls 53551->53552 53553 482b75 53552->53553 54102 46ca24 53553->54102 53556 482b85 53557 414af8 4 API calls 53556->53557 53559 482b95 53557->53559 53560 403450 4 API calls 53559->53560 53561 482ba2 53560->53561 53562 469bd4 SendMessageA 53561->53562 53563 482bbb 53562->53563 53564 482c0c 53563->53564 54294 479c64 23 API calls 53563->54294 53566 4241ec 11 API calls 53564->53566 53567 482c16 53566->53567 53568 482c3c 53567->53568 53569 482c27 SetActiveWindow 53567->53569 54131 481f3c 53568->54131 53569->53568 53618->53322 53619->53307 53620->53307 53621->53307 53622->53332 53624 468f1c 19 API calls 53623->53624 53631->53340 53647 46c764 53632->53647 53635 414af8 53636 414b06 53635->53636 53637 4034e0 4 API calls 53636->53637 53638 414b13 53637->53638 53638->53361 53639->53372 53642 466986 53640->53642 53641 4078fc 19 API calls 53643 4669c1 53641->53643 53642->53641 53643->53379 53644->53371 53645->53370 53646->53363 53648 414af8 4 API calls 53647->53648 53649 46c798 53648->53649 53708 466c04 53649->53708 53653 46c7aa 53654 46c7b9 53653->53654 53656 46c7d2 53653->53656 53742 47eadc 42 API calls 53654->53742 53659 46c819 53656->53659 53661 46c800 53656->53661 53657 403420 4 API calls 53658 46ba3a 53657->53658 53658->53357 53658->53635 53660 46c87e 53659->53660 53674 46c81d 53659->53674 53745 42cb5c CharNextA 53660->53745 53743 47eadc 42 API calls 53661->53743 53664 46c88d 53665 46c891 53664->53665 53668 46c8aa 53664->53668 53746 47eadc 42 API calls 53665->53746 53667 46c865 53744 47eadc 42 API calls 53667->53744 53669 46c8ce 53668->53669 53722 466d74 53668->53722 53747 47eadc 42 API calls 53669->53747 53674->53667 53674->53668 53677 46c8e7 53678 403778 4 API calls 53677->53678 53679 46c8fd 53678->53679 53730 42c9ac 53679->53730 53682 46c90e 53748 466e00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53682->53748 53683 46c93f 53684 42c8dc 5 API calls 53683->53684 53686 46c94a 53684->53686 53688 42c40c 5 API calls 53686->53688 53687 46c921 53689 451444 4 API calls 53687->53689 53690 46c955 53688->53690 53691 46c92e 53689->53691 53692 42cbd0 6 API calls 53690->53692 53749 47eadc 42 API calls 53691->53749 53694 46c960 53692->53694 53734 46c6f8 53694->53734 53696 46c968 53697 42cd58 7 API calls 53696->53697 53698 46c970 53697->53698 53699 46c974 53698->53699 53700 46c98a 53698->53700 53750 47eadc 42 API calls 53699->53750 53702 46c7cd 53700->53702 53703 46c994 53700->53703 53702->53657 53704 46c99c GetDriveTypeA 53703->53704 53704->53702 53713 466c1e 53708->53713 53710 42cbd0 6 API calls 53710->53713 53711 403450 4 API calls 53711->53713 53712 406bb8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53712->53713 53713->53710 53713->53711 53713->53712 53714 466c67 53713->53714 53752 42cabc 53713->53752 53715 403420 4 API calls 53714->53715 53716 466c81 53715->53716 53717 414b28 53716->53717 53718 414af8 4 API calls 53717->53718 53719 414b4c 53718->53719 53720 403400 4 API calls 53719->53720 53721 414b7d 53720->53721 53721->53653 53723 466d7e 53722->53723 53724 466d91 53723->53724 53763 42cb4c CharNextA 53723->53763 53724->53669 53726 466da4 53724->53726 53727 466dae 53726->53727 53728 466ddb 53727->53728 53764 42cb4c CharNextA 53727->53764 53728->53669 53728->53677 53731 42ca05 53730->53731 53732 42c9c2 53730->53732 53731->53682 53731->53683 53732->53731 53765 42cb4c CharNextA 53732->53765 53735 46c75d 53734->53735 53736 46c70b 53734->53736 53735->53696 53736->53735 53737 41eeb4 2 API calls 53736->53737 53738 46c71b 53737->53738 53739 46c735 SHPathPrepareForWriteA 53738->53739 53740 41ef68 6 API calls 53739->53740 53741 46c755 53740->53741 53741->53696 53742->53702 53743->53702 53744->53702 53745->53664 53746->53702 53747->53702 53748->53687 53749->53702 53750->53702 53753 403494 4 API calls 53752->53753 53754 42cacc 53753->53754 53755 403744 4 API calls 53754->53755 53758 42cb02 53754->53758 53761 42c454 IsDBCSLeadByte 53754->53761 53755->53754 53757 42cb46 53757->53713 53758->53757 53760 4037b8 4 API calls 53758->53760 53762 42c454 IsDBCSLeadByte 53758->53762 53760->53758 53761->53754 53762->53758 53763->53723 53764->53727 53765->53732 53766->53397 53769 46aabf 53767->53769 53768 46af37 53770 46af52 53768->53770 53771 46af83 53768->53771 53769->53768 53772 46ab7a 53769->53772 53776 403494 4 API calls 53769->53776 53775 403494 4 API calls 53770->53775 53773 403494 4 API calls 53771->53773 53774 46ab9b 53772->53774 53778 46abdc 53772->53778 53777 46af91 53773->53777 53779 403494 4 API calls 53774->53779 53780 46af60 53775->53780 53781 46aafe 53776->53781 53871 4694c8 12 API calls 53777->53871 53784 403400 4 API calls 53778->53784 53786 46aba9 53779->53786 53870 4694c8 12 API calls 53780->53870 53783 414af8 4 API calls 53781->53783 53788 46ab1f 53783->53788 53789 46abda 53784->53789 53787 414af8 4 API calls 53786->53787 53791 46abca 53787->53791 53792 403634 4 API calls 53788->53792 53811 46acc0 53789->53811 53853 469bd4 53789->53853 53790 46af6e 53793 403400 4 API calls 53790->53793 53794 403634 4 API calls 53791->53794 53795 46ab2f 53792->53795 53797 46afb4 53793->53797 53794->53789 53799 414af8 4 API calls 53795->53799 53802 403400 4 API calls 53797->53802 53798 46ad48 53800 403400 4 API calls 53798->53800 53803 46ab43 53799->53803 53804 46ad46 53800->53804 53801 46abfc 53805 46ac02 53801->53805 53806 46ac3a 53801->53806 53807 46afbc 53802->53807 53803->53772 53813 414af8 4 API calls 53803->53813 53865 46a010 43 API calls 53804->53865 53809 403494 4 API calls 53805->53809 53808 403400 4 API calls 53806->53808 53810 403420 4 API calls 53807->53810 53812 46ac38 53808->53812 53814 46ac10 53809->53814 53815 46afc9 53810->53815 53811->53798 53816 46ad07 53811->53816 53859 469ec8 53812->53859 53818 46ab6a 53813->53818 53820 47bfd8 43 API calls 53814->53820 53815->53403 53817 403494 4 API calls 53816->53817 53821 46ad15 53817->53821 53822 403634 4 API calls 53818->53822 53824 46ac28 53820->53824 53825 414af8 4 API calls 53821->53825 53822->53772 53823 46ad71 53830 46add2 53823->53830 53831 46ad7c 53823->53831 53827 403634 4 API calls 53824->53827 53828 46ad36 53825->53828 53827->53812 53832 403634 4 API calls 53828->53832 53829 46ac61 53835 46acc2 53829->53835 53836 46ac6c 53829->53836 53834 403400 4 API calls 53830->53834 53833 403494 4 API calls 53831->53833 53832->53804 53842 46ad8a 53833->53842 53837 46adda 53834->53837 53838 403400 4 API calls 53835->53838 53839 403494 4 API calls 53836->53839 53840 46add0 53837->53840 53851 46ae83 53837->53851 53838->53811 53844 46ac7a 53839->53844 53840->53837 53866 494660 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53840->53866 53842->53837 53842->53840 53846 403634 4 API calls 53842->53846 53843 46adfd 53843->53851 53867 49490c 18 API calls 53843->53867 53844->53811 53847 403634 4 API calls 53844->53847 53846->53842 53847->53844 53849 46af24 53869 429154 SendMessageA SendMessageA 53849->53869 53868 429104 SendMessageA 53851->53868 53852->53405 53872 42a050 SendMessageA 53853->53872 53855 469be3 53856 469c03 53855->53856 53873 42a050 SendMessageA 53855->53873 53856->53801 53858 469bf3 53858->53801 53863 469ef5 53859->53863 53860 469f57 53861 403400 4 API calls 53860->53861 53862 469f6c 53861->53862 53862->53829 53863->53860 53874 469e4c 43 API calls 53863->53874 53865->53823 53866->53843 53867->53851 53868->53849 53869->53768 53870->53790 53871->53790 53872->53855 53873->53858 53874->53863 53876 47d9cf 53875->53876 53879 47da0c 53875->53879 53907 455cf8 53876->53907 53879->53411 53881 47da1f 53881->53411 53962 466a80 53882->53962 53885->53417 53887 42f57c 53886->53887 53888 42f59f GetActiveWindow GetFocus 53887->53888 53889 41eeb4 2 API calls 53888->53889 53890 42f5b6 53889->53890 53891 42f5d3 53890->53891 53892 42f5c3 RegisterClassA 53890->53892 53893 42f662 SetFocus 53891->53893 53894 42f5e1 CreateWindowExA 53891->53894 53892->53891 53895 403400 4 API calls 53893->53895 53894->53893 53896 42f614 53894->53896 53897 42f67e 53895->53897 53983 42428c 53896->53983 53902 49490c 18 API calls 53897->53902 53899 42f63c 53900 42f644 CreateWindowExA 53899->53900 53900->53893 53901 42f65a ShowWindow 53900->53901 53901->53893 53902->53455 53989 44b524 53903->53989 53905 466eab 53905->53461 53908 455d09 53907->53908 53909 455d16 53908->53909 53910 455d0d 53908->53910 53941 455adc 29 API calls 53909->53941 53933 4559fc 53910->53933 53913 455d13 53913->53879 53914 47d628 53913->53914 53920 47d726 53914->53920 53923 47d665 53914->53923 53915 47d6c9 53916 403420 4 API calls 53915->53916 53917 47d80e 53916->53917 53917->53881 53918 47954c 19 API calls 53918->53920 53920->53915 53920->53918 53924 47d77c 53920->53924 53921 4797f0 4 API calls 53921->53923 53922 47bfd8 43 API calls 53922->53924 53923->53915 53923->53920 53923->53921 53927 47bfd8 43 API calls 53923->53927 53931 47d6d2 53923->53931 53950 47968c 53923->53950 53924->53920 53924->53922 53926 4540ec 20 API calls 53924->53926 53928 47d713 53924->53928 53925 47bfd8 43 API calls 53925->53931 53926->53924 53927->53923 53928->53915 53929 42c93c 5 API calls 53929->53931 53930 42c964 5 API calls 53930->53931 53931->53923 53931->53925 53931->53928 53931->53929 53931->53930 53961 47d334 52 API calls 53931->53961 53934 42de2c RegOpenKeyExA 53933->53934 53935 455a19 53934->53935 53936 455a67 53935->53936 53942 455930 53935->53942 53936->53913 53939 455930 6 API calls 53940 455a48 RegCloseKey 53939->53940 53940->53913 53941->53913 53947 42dd68 53942->53947 53944 403420 4 API calls 53945 4559e2 53944->53945 53945->53939 53946 455958 53946->53944 53948 42dc10 6 API calls 53947->53948 53949 42dd71 53948->53949 53949->53946 53951 4796a2 53950->53951 53952 47969e 53950->53952 53953 403450 4 API calls 53951->53953 53952->53923 53954 4796af 53953->53954 53955 4796b5 53954->53955 53956 4796cf 53954->53956 53957 47954c 19 API calls 53955->53957 53958 47954c 19 API calls 53956->53958 53959 4796cb 53957->53959 53958->53959 53960 403400 4 API calls 53959->53960 53960->53952 53961->53931 53963 403494 4 API calls 53962->53963 53964 466aae 53963->53964 53965 42dbd8 5 API calls 53964->53965 53966 466ac0 53965->53966 53967 42dbd8 5 API calls 53966->53967 53968 466ad2 53967->53968 53969 46696c 19 API calls 53968->53969 53970 466adc 53969->53970 53971 42dbd8 5 API calls 53970->53971 53972 466aeb 53971->53972 53979 4669e4 53972->53979 53975 42dbd8 5 API calls 53976 466b04 53975->53976 53977 403400 4 API calls 53976->53977 53978 466b19 53977->53978 53978->53414 53980 466a04 53979->53980 53981 4078fc 19 API calls 53980->53981 53982 466a4e 53981->53982 53982->53975 53984 4242be 53983->53984 53985 42429e GetWindowTextA 53983->53985 53987 403494 4 API calls 53984->53987 53986 4034e0 4 API calls 53985->53986 53988 4242bc 53986->53988 53987->53988 53988->53899 53992 44b39c 53989->53992 53991 44b537 53991->53905 53993 44b3cf 53992->53993 53994 414af8 4 API calls 53993->53994 53995 44b3e2 53994->53995 53996 44b40f 73EAA570 53995->53996 53997 40357c 4 API calls 53995->53997 54003 41a1f8 53996->54003 53997->53996 54000 44b440 54011 44b0d0 54000->54011 54002 44b454 73EAA480 54002->53991 54004 41a223 54003->54004 54005 41a2bf 54003->54005 54008 403520 4 API calls 54004->54008 54006 403400 4 API calls 54005->54006 54007 41a2d7 SelectObject 54006->54007 54007->54000 54009 41a27b 54008->54009 54010 41a2b3 CreateFontIndirectA 54009->54010 54010->54005 54012 44b0e7 54011->54012 54013 44b17a 54012->54013 54014 44b163 54012->54014 54015 44b0fa 54012->54015 54013->54002 54016 44b173 DrawTextA 54014->54016 54015->54013 54017 402648 4 API calls 54015->54017 54016->54013 54018 44b10b 54017->54018 54019 44b129 MultiByteToWideChar DrawTextW 54018->54019 54020 402660 4 API calls 54019->54020 54021 44b15b 54020->54021 54021->54002 54024 465643 54022->54024 54023 46571e 54033 4673f8 54023->54033 54024->54023 54028 465693 54024->54028 54045 421a2c 54024->54045 54025 4656d6 54025->54023 54051 4185c8 7 API calls 54025->54051 54028->54025 54029 4656cd 54028->54029 54030 4656d8 54028->54030 54031 421a2c 7 API calls 54029->54031 54032 421a2c 7 API calls 54030->54032 54031->54025 54032->54025 54034 467428 54033->54034 54035 467409 54033->54035 54034->53476 54036 414b28 4 API calls 54035->54036 54037 467417 54036->54037 54038 414b28 4 API calls 54037->54038 54038->54034 54040 46b041 54039->54040 54041 421a2c 7 API calls 54040->54041 54042 46b0cc 54041->54042 54042->53499 54043 466ecc 18 API calls 54042->54043 54043->53499 54044->53500 54047 421a84 54045->54047 54050 421a3a 54045->54050 54047->54028 54049 421a69 54049->54047 54060 421d38 SetFocus GetFocus 54049->54060 54050->54049 54052 408cc4 54050->54052 54051->54023 54053 408cd0 54052->54053 54061 406df4 LoadStringA 54053->54061 54056 403450 4 API calls 54057 408d01 54056->54057 54058 403400 4 API calls 54057->54058 54059 408d16 54058->54059 54059->54049 54060->54047 54062 4034e0 4 API calls 54061->54062 54063 406e21 54062->54063 54063->54056 54065 402648 4 API calls 54064->54065 54066 47dc4c 54065->54066 54067 47d628 61 API calls 54066->54067 54068 47dc6b 54067->54068 54069 47dc7f 54068->54069 54080 47da48 54068->54080 54071 47dcab 54069->54071 54073 402660 4 API calls 54069->54073 54072 402660 4 API calls 54071->54072 54074 47dcb5 54072->54074 54073->54069 54074->53504 54075->53529 54076->53524 54081 403494 4 API calls 54080->54081 54096 47da75 54081->54096 54094 42c93c 5 API calls 54094->54096 54096->54094 54099 47dac8 54096->54099 54100 42e8b0 CharNextA 54096->54100 54100->54096 54103 46ca4d 54102->54103 54104 46ca9a 54103->54104 54105 414af8 4 API calls 54103->54105 54107 403420 4 API calls 54104->54107 54106 46ca63 54105->54106 54301 466c90 6 API calls 54106->54301 54109 46cb44 54107->54109 54109->53556 54293 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54109->54293 54110 46ca6b 54111 414b28 4 API calls 54110->54111 54112 46ca79 54111->54112 54113 46ca86 54112->54113 54116 46ca9f 54112->54116 54302 47eadc 42 API calls 54113->54302 54115 46cab7 54303 47eadc 42 API calls 54115->54303 54116->54115 54117 466d74 CharNextA 54116->54117 54119 46cab3 54117->54119 54119->54115 54120 46cacd 54119->54120 54121 46cad3 54120->54121 54122 46cae9 54120->54122 54304 47eadc 42 API calls 54121->54304 54124 42c9ac CharNextA 54122->54124 54125 46caf6 54124->54125 54125->54104 54305 466e00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54125->54305 54127 46cb0d 54128 451444 4 API calls 54127->54128 54129 46cb1a 54128->54129 54306 47eadc 42 API calls 54129->54306 54132 481f8d 54131->54132 54133 481f5f 54131->54133 54135 475dbc 54132->54135 54307 4946bc 18 API calls 54133->54307 54136 457b4c 24 API calls 54135->54136 54137 475e08 54136->54137 54138 4072b0 SetCurrentDirectoryA 54137->54138 54139 475e12 54138->54139 54308 46e5b0 54139->54308 54143 475e22 54294->53564 54301->54110 54302->54104 54303->54104 54304->54104 54305->54127 54306->54104 54307->54132 54309 46e623 54308->54309 54311 46e5cd 54308->54311 54312 46e628 54309->54312 54310 47968c 19 API calls 54310->54311 54311->54309 54311->54310 54313 46e64e 54312->54313 54756 44fb08 54313->54756 54315 46e6aa 54315->54143 54759 44fb1c 54756->54759 54760 44fb2d 54759->54760 54761 44fb19 54760->54761 54762 44fb57 MulDiv 54760->54762 54761->54315 54763 4181f0 54762->54763 54764 44fb82 SendMessageA 54763->54764 54764->54761 56176 498578 56234 403344 56176->56234 56178 498586 56237 4056a0 56178->56237 56180 49858b 56240 406334 GetModuleHandleA GetProcAddress 56180->56240 56186 49859a 56257 410964 56186->56257 56188 49859f 56261 412938 56188->56261 56190 4985a9 56266 419050 GetVersion 56190->56266 56507 4032fc 56234->56507 56236 403349 GetModuleHandleA GetCommandLineA 56236->56178 56239 4056db 56237->56239 56508 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56237->56508 56239->56180 56241 406350 56240->56241 56242 406357 GetProcAddress 56240->56242 56241->56242 56243 406366 56242->56243 56244 40636d GetProcAddress 56242->56244 56243->56244 56245 406380 56244->56245 56246 40637c SetProcessDEPPolicy 56244->56246 56247 409954 56245->56247 56246->56245 56509 40902c 56247->56509 56252 408728 7 API calls 56253 409977 56252->56253 56524 409078 GetVersionExA 56253->56524 56256 409b88 6F981CD0 56256->56186 56258 41096e 56257->56258 56259 4109ad GetCurrentThreadId 56258->56259 56260 4109c8 56259->56260 56260->56188 56526 40af0c 56261->56526 56265 412964 56265->56190 56538 41de34 8 API calls 56266->56538 56268 419069 56540 418f48 GetCurrentProcessId 56268->56540 56507->56236 56508->56239 56510 408cc4 5 API calls 56509->56510 56511 40903d 56510->56511 56512 4085e4 GetSystemDefaultLCID 56511->56512 56516 40861a 56512->56516 56513 408570 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 56513->56516 56514 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56514->56516 56515 406df4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56515->56516 56516->56513 56516->56514 56516->56515 56520 40867c 56516->56520 56517 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56517->56520 56518 406df4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56518->56520 56519 408570 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 56519->56520 56520->56517 56520->56518 56520->56519 56521 4086ff 56520->56521 56522 403420 4 API calls 56521->56522 56523 408719 56522->56523 56523->56252 56525 40908f 56524->56525 56525->56256 56527 40af13 56526->56527 56528 40af32 56527->56528 56537 40ae44 19 API calls 56527->56537 56530 41101c 56528->56530 56531 41103e 56530->56531 56532 406df4 5 API calls 56531->56532 56533 403450 4 API calls 56531->56533 56534 41105d 56531->56534 56532->56531 56533->56531 56535 403400 4 API calls 56534->56535 56536 411072 56535->56536 56536->56265 56537->56527 56539 41deae 56538->56539 56539->56268 57815 42f530 57816 42f53b 57815->57816 57817 42f53f NtdllDefWindowProc_A 57815->57817 57817->57816 55808 416b52 55809 416bfa 55808->55809 55810 416b6a 55808->55810 55827 41532c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55809->55827 55812 416b84 SendMessageA 55810->55812 55813 416b78 55810->55813 55823 416bd8 55812->55823 55814 416b82 CallWindowProcA 55813->55814 55815 416b9e 55813->55815 55814->55823 55824 41a068 GetSysColor 55815->55824 55818 416ba9 SetTextColor 55819 416bbe 55818->55819 55825 41a068 GetSysColor 55819->55825 55821 416bc3 SetBkColor 55826 41a6f0 GetSysColor CreateBrushIndirect 55821->55826 55824->55818 55825->55821 55826->55823 55827->55823 57818 4358f0 57819 435905 57818->57819 57823 43591f 57819->57823 57824 4352d8 57819->57824 57828 435322 57824->57828 57829 435308 57824->57829 57825 403400 4 API calls 57826 435727 57825->57826 57826->57823 57837 435738 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57826->57837 57827 446db4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57827->57829 57828->57825 57829->57827 57829->57828 57830 402648 4 API calls 57829->57830 57831 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57829->57831 57833 431cb0 4 API calls 57829->57833 57834 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57829->57834 57835 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57829->57835 57838 4343c0 57829->57838 57850 434b84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57829->57850 57830->57829 57831->57829 57833->57829 57834->57829 57835->57829 57837->57823 57839 43447d 57838->57839 57840 4343ed 57838->57840 57869 434320 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57839->57869 57841 403494 4 API calls 57840->57841 57843 4343fb 57841->57843 57844 403778 4 API calls 57843->57844 57848 43441c 57844->57848 57845 403400 4 API calls 57846 4344cd 57845->57846 57846->57829 57847 43446f 57847->57845 57848->57847 57851 494314 57848->57851 57850->57829 57852 49434c 57851->57852 57853 4943e4 57851->57853 57854 403494 4 API calls 57852->57854 57870 448940 57853->57870 57859 494357 57854->57859 57856 494367 57857 403400 4 API calls 57856->57857 57858 494408 57857->57858 57860 403400 4 API calls 57858->57860 57859->57856 57861 4037b8 4 API calls 57859->57861 57862 494410 57860->57862 57863 494380 57861->57863 57862->57848 57863->57856 57864 4037b8 4 API calls 57863->57864 57865 4943a3 57864->57865 57866 403778 4 API calls 57865->57866 57867 4943d4 57866->57867 57868 403634 4 API calls 57867->57868 57868->57853 57869->57847 57871 448965 57870->57871 57881 4489a8 57870->57881 57872 403494 4 API calls 57871->57872 57874 448970 57872->57874 57877 4037b8 4 API calls 57874->57877 57875 4489bc 57876 403400 4 API calls 57875->57876 57878 4489ef 57876->57878 57879 44898c 57877->57879 57878->57856 57880 4037b8 4 API calls 57879->57880 57880->57881 57881->57875 57882 44853c 57881->57882 57883 403494 4 API calls 57882->57883 57884 448572 57883->57884 57885 4037b8 4 API calls 57884->57885 57886 448584 57885->57886 57887 403778 4 API calls 57886->57887 57888 4485a5 57887->57888 57889 4037b8 4 API calls 57888->57889 57890 4485bd 57889->57890 57891 403778 4 API calls 57890->57891 57892 4485e8 57891->57892 57893 4037b8 4 API calls 57892->57893 57895 448600 57893->57895 57894 4486d3 57899 4486db GetProcAddress 57894->57899 57895->57894 57897 44865b LoadLibraryExA 57895->57897 57898 44866d LoadLibraryA 57895->57898 57902 448638 57895->57902 57903 403b80 4 API calls 57895->57903 57904 403450 4 API calls 57895->57904 57906 43da98 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57895->57906 57896 403420 4 API calls 57900 448718 57896->57900 57897->57895 57898->57895 57901 4486ee 57899->57901 57900->57875 57901->57902 57902->57896 57903->57895 57904->57895 57906->57895 57907 40ce34 57910 406f18 WriteFile 57907->57910 57911 406f35 57910->57911 55828 416654 55829 416661 55828->55829 55830 4166bb 55828->55830 55836 416560 CreateWindowExA 55829->55836 55837 4162da 55829->55837 55831 416668 SetPropA SetPropA 55831->55830 55832 41669b 55831->55832 55833 4166ae SetWindowPos 55832->55833 55833->55830 55836->55831 55838 416306 55837->55838 55839 4162e6 GetClassInfoA 55837->55839 55838->55831 55839->55838 55840 4162fa GetClassInfoA 55839->55840 55840->55838 57912 4222f4 57913 422303 57912->57913 57918 421284 57913->57918 57916 422323 57919 4212f3 57918->57919 57933 421293 57918->57933 57922 421304 57919->57922 57943 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 57919->57943 57921 421332 57925 4213a5 57921->57925 57930 42134d 57921->57930 57922->57921 57924 4213ca 57922->57924 57923 4213a3 57926 4213f6 57923->57926 57945 421e3c 11 API calls 57923->57945 57924->57923 57928 4213de SetMenu 57924->57928 57925->57923 57932 4213b9 57925->57932 57946 4211cc 10 API calls 57926->57946 57928->57923 57930->57923 57936 421370 GetMenu 57930->57936 57931 4213fd 57931->57916 57941 4221f8 10 API calls 57931->57941 57935 4213c2 SetMenu 57932->57935 57933->57919 57942 408d34 19 API calls 57933->57942 57935->57923 57937 421393 57936->57937 57938 42137a 57936->57938 57944 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 57937->57944 57940 42138d SetMenu 57938->57940 57940->57937 57941->57916 57942->57933 57943->57922 57944->57923 57945->57926 57946->57931 57947 44b4b8 57948 44b4c6 57947->57948 57950 44b4e5 57947->57950 57949 44b39c 11 API calls 57948->57949 57948->57950 57949->57950 57951 448738 57952 448766 57951->57952 57953 44876d 57951->57953 57955 403400 4 API calls 57952->57955 57954 448781 57953->57954 57956 44853c 7 API calls 57953->57956 57954->57952 57957 403494 4 API calls 57954->57957 57959 448917 57955->57959 57956->57954 57958 44879a 57957->57958 57960 4037b8 4 API calls 57958->57960 57961 4487b6 57960->57961 57962 4037b8 4 API calls 57961->57962 57963 4487d2 57962->57963 57963->57952 57964 4487e6 57963->57964 57965 4037b8 4 API calls 57964->57965 57966 448800 57965->57966 57967 431be0 4 API calls 57966->57967 57968 448822 57967->57968 57969 431cb0 4 API calls 57968->57969 57974 448842 57968->57974 57969->57968 57970 448898 57983 442344 57970->57983 57972 448880 57972->57970 57995 4435e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57972->57995 57974->57972 57994 4435e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57974->57994 57976 4488cc GetLastError 57996 4484d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57976->57996 57978 4488db 57997 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57978->57997 57980 4488f0 57998 443630 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57980->57998 57982 4488f8 57984 443322 57983->57984 57985 44237d 57983->57985 57987 403400 4 API calls 57984->57987 57986 403400 4 API calls 57985->57986 57988 442385 57986->57988 57989 443337 57987->57989 57990 431be0 4 API calls 57988->57990 57989->57976 57991 442391 57990->57991 57992 443312 57991->57992 57999 441a1c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57991->57999 57992->57976 57994->57974 57995->57970 57996->57978 57997->57980 57998->57982 57999->57991 58000 4165fc 73EB5CF0 58001 42e3ff SetErrorMode

                                                                                                              Executed Functions

                                                                                                              Function 00470950 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 956COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • Same time stamp. Skipping., xrefs: 00470FFD
                                                                                                              • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470F78
                                                                                                              • Couldn't read time stamp. Skipping., xrefs: 00470FDD
                                                                                                              • User opted not to overwrite the existing file. Skipping., xrefs: 004710F5
                                                                                                              • Will register the file (a DLL/OCX) later., xrefs: 004717AD
                                                                                                              • Existing file is protected by Windows File Protection. Skipping., xrefs: 00471094
                                                                                                              • Skipping due to "onlyifdestfileexists" flag., xrefs: 004711A2
                                                                                                              • Time stamp of our file: (failed to read), xrefs: 00470C4F
                                                                                                              • Incrementing shared file count (32-bit)., xrefs: 00471833
                                                                                                              • Version of existing file: (none), xrefs: 00470FA2
                                                                                                              • Non-default bitness: 32-bit, xrefs: 00470B63
                                                                                                              • Uninstaller requires administrator: %s, xrefs: 0047141D
                                                                                                              • Skipping due to "onlyifdoesntexist" flag., xrefs: 00470C76
                                                                                                              • Same version. Skipping., xrefs: 00470F8D
                                                                                                              • -- File entry --, xrefs: 004709A3
                                                                                                              • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0047113E
                                                                                                              • Non-default bitness: 64-bit, xrefs: 00470B57
                                                                                                              • Dest file exists., xrefs: 00470C63
                                                                                                              • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470F6C
                                                                                                              • Dest file is protected by Windows File Protection., xrefs: 00470B95
                                                                                                              • , xrefs: 00470E77, 00471048, 004710C6
                                                                                                              • Failed to strip read-only attribute., xrefs: 0047117B
                                                                                                              • Time stamp of existing file: %s, xrefs: 00470CD3
                                                                                                              • Installing the file., xrefs: 004711B1
                                                                                                              • Time stamp of existing file: (failed to read), xrefs: 00470CDF
                                                                                                              • Existing file has a later time stamp. Skipping., xrefs: 00471077
                                                                                                              • Version of our file: %u.%u.%u.%u, xrefs: 00470D98
                                                                                                              • Version of existing file: %u.%u.%u.%u, xrefs: 00470E24
                                                                                                              • Existing file is a newer version. Skipping., xrefs: 00470EAA
                                                                                                              • Stripped read-only attribute., xrefs: 0047116F
                                                                                                              • @, xrefs: 00470A58
                                                                                                              • Incrementing shared file count (64-bit)., xrefs: 0047181A
                                                                                                              • Dest filename: %s, xrefs: 00470B3C
                                                                                                              • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470F5D
                                                                                                              • InUn, xrefs: 004713ED
                                                                                                              • .tmp, xrefs: 0047125F
                                                                                                              • Time stamp of our file: %s, xrefs: 00470C43
                                                                                                              • Will register the file (a type library) later., xrefs: 004717A1
                                                                                                              • Installing into GAC, xrefs: 004719A2
                                                                                                              • Version of our file: (none), xrefs: 00470DA4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                                              • API String ID: 0-4021121268
                                                                                                              • Opcode ID: 37ba39076e8f210f702745b7d33ab1b6cbc29d83952fc568139b6c082dd49221
                                                                                                              • Instruction ID: 00dcbbebc37e67597ddb11db3b00c056d98a3663d13b65a1c96947d1bb872b77
                                                                                                              • Opcode Fuzzy Hash: 37ba39076e8f210f702745b7d33ab1b6cbc29d83952fc568139b6c082dd49221
                                                                                                              • Instruction Fuzzy Hash: 2C927534A04288DFDB11DFA9C845BDDBBB5AF05304F5480ABE848AB392C7789E45CB59
                                                                                                              Function 0042E0AC Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1546 42e0ac-42e0bd 1547 42e0c8-42e0ed AllocateAndInitializeSid 1546->1547 1548 42e0bf-42e0c3 1546->1548 1549 42e297-42e29f 1547->1549 1550 42e0f3-42e110 GetVersion 1547->1550 1548->1549 1551 42e112-42e127 GetModuleHandleA GetProcAddress 1550->1551 1552 42e129-42e12b 1550->1552 1551->1552 1553 42e152-42e16c GetCurrentThread OpenThreadToken 1552->1553 1554 42e12d-42e13b CheckTokenMembership 1552->1554 1557 42e1a3-42e1cb GetTokenInformation 1553->1557 1558 42e16e-42e178 GetLastError 1553->1558 1555 42e141-42e14d 1554->1555 1556 42e279-42e28f FreeSid 1554->1556 1555->1556 1559 42e1e6-42e20a call 402648 GetTokenInformation 1557->1559 1560 42e1cd-42e1d5 GetLastError 1557->1560 1561 42e184-42e197 GetCurrentProcess OpenProcessToken 1558->1561 1562 42e17a-42e17f call 4031bc 1558->1562 1573 42e218-42e220 1559->1573 1574 42e20c-42e216 call 4031bc * 2 1559->1574 1560->1559 1564 42e1d7-42e1e1 call 4031bc * 2 1560->1564 1561->1557 1563 42e199-42e19e call 4031bc 1561->1563 1562->1549 1563->1549 1564->1549 1576 42e222-42e223 1573->1576 1577 42e253-42e271 call 402660 CloseHandle 1573->1577 1574->1549 1580 42e225-42e238 EqualSid 1576->1580 1584 42e23a-42e247 1580->1584 1585 42e24f-42e251 1580->1585 1584->1585 1588 42e249-42e24d 1584->1588 1585->1577 1585->1580 1588->1577
                                                                                                              APIs
                                                                                                              • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0E6
                                                                                                              • GetVersion.KERNEL32(00000000,0042E290,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E103
                                                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E290,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E11C
                                                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E122
                                                                                                              • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E290,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E137
                                                                                                              • FreeSid.ADVAPI32(00000000,0042E297,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E28A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                                              • String ID: CheckTokenMembership$advapi32.dll
                                                                                                              • API String ID: 2252812187-1888249752
                                                                                                              • Opcode ID: dfa08fd94d7286335d22f987ae6d0bc512a1d03bb366aa7b3c061580d116a88c
                                                                                                              • Instruction ID: 1c76bb1748f4203a7925b196b2d5623075850b54fd141b793a49aa5c8bf5bf77
                                                                                                              • Opcode Fuzzy Hash: dfa08fd94d7286335d22f987ae6d0bc512a1d03bb366aa7b3c061580d116a88c
                                                                                                              • Instruction Fuzzy Hash: 22517571B44615EEEB10EAE6A842BBF7BACDB09304F9404BBB501F7282D57C9904867D
                                                                                                              Function 004502AC Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 45libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1610 4502ac-4502b9 1611 4502bf-4502cc GetVersion 1610->1611 1612 450368-450372 1610->1612 1611->1612 1613 4502d2-4502e8 LoadLibraryA 1611->1613 1613->1612 1614 4502ea-450363 GetProcAddress * 6 1613->1614 1614->1612
                                                                                                              APIs
                                                                                                              • GetVersion.KERNEL32(00480618), ref: 004502BF
                                                                                                              • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480618), ref: 004502D7
                                                                                                              • GetProcAddress.KERNEL32(6D520000,RmStartSession), ref: 004502F5
                                                                                                              • GetProcAddress.KERNEL32(6D520000,RmRegisterResources), ref: 0045030A
                                                                                                              • GetProcAddress.KERNEL32(6D520000,RmGetList), ref: 0045031F
                                                                                                              • GetProcAddress.KERNEL32(6D520000,RmShutdown), ref: 00450334
                                                                                                              • GetProcAddress.KERNEL32(6D520000,RmRestart), ref: 00450349
                                                                                                              • GetProcAddress.KERNEL32(6D520000,RmEndSession), ref: 0045035E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$LibraryLoadVersion
                                                                                                              • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                                              • API String ID: 1968650500-3419246398
                                                                                                              • Opcode ID: e7a86348d8f011b95a06015b0bab06b6210f60d72cb8efa7c77c846e57fe45c9
                                                                                                              • Instruction ID: 1cbd638475316f18669290cc5db137bdc69b0bbe350ace6e5bf0246856dda450
                                                                                                              • Opcode Fuzzy Hash: e7a86348d8f011b95a06015b0bab06b6210f60d72cb8efa7c77c846e57fe45c9
                                                                                                              • Instruction Fuzzy Hash: CC11A5B4541740DBDA10FBA5BB85A2A32E9E72C715B08563BEC44AA1A2DB7C4448CF9C
                                                                                                              Function 00423C1C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1674 423c1c-423c50 1675 423c52-423c53 1674->1675 1676 423c84-423c9b call 423b78 1674->1676 1678 423c55-423c71 call 40b44c 1675->1678 1681 423cfc-423d01 1676->1681 1682 423c9d 1676->1682 1699 423c73-423c7b 1678->1699 1700 423c80-423c82 1678->1700 1684 423d03 1681->1684 1685 423d37-423d3c 1681->1685 1686 423ca3-423ca6 1682->1686 1687 423d60-423d70 1682->1687 1688 423fc1-423fc9 1684->1688 1689 423d09-423d11 1684->1689 1692 423d42-423d45 1685->1692 1693 4240aa-4240b8 IsIconic 1685->1693 1690 423cd5-423cd8 1686->1690 1691 423ca8 1686->1691 1694 423d72-423d77 1687->1694 1695 423d7b-423d83 call 4241a4 1687->1695 1704 424162-42416a 1688->1704 1710 423fcf-423fda call 4181f0 1688->1710 1702 423f23-423f4a SendMessageA 1689->1702 1703 423d17-423d1c 1689->1703 1711 423db9-423dc0 1690->1711 1712 423cde-423cdf 1690->1712 1706 423e06-423e16 call 423b94 1691->1706 1707 423cae-423cb1 1691->1707 1708 4240e6-4240fb call 424860 1692->1708 1709 423d4b-423d4c 1692->1709 1693->1704 1705 4240be-4240c9 GetFocus 1693->1705 1697 423d88-423d90 call 4241ec 1694->1697 1698 423d79-423d9c call 423b94 1694->1698 1695->1704 1697->1704 1698->1704 1714 424181-424187 1699->1714 1700->1676 1700->1678 1702->1704 1725 423d22-423d23 1703->1725 1726 42405a-424065 1703->1726 1704->1714 1705->1704 1717 4240cf-4240d8 call 41f004 1705->1717 1706->1704 1718 423cb7-423cba 1707->1718 1719 423e2e-423e4a PostMessageA call 423b94 1707->1719 1708->1704 1728 423d52-423d55 1709->1728 1729 4240fd-424104 1709->1729 1710->1704 1761 423fe0-423fef call 4181f0 IsWindowEnabled 1710->1761 1711->1704 1722 423dc6-423dcd 1711->1722 1723 423ce5-423ce8 1712->1723 1724 423f4f-423f56 1712->1724 1717->1704 1773 4240de-4240e4 SetFocus 1717->1773 1735 423cc0-423cc3 1718->1735 1736 423eb5-423ebc 1718->1736 1719->1704 1722->1704 1741 423dd3-423dd9 1722->1741 1742 423cee-423cf1 1723->1742 1743 423e4f-423e6f call 423b94 1723->1743 1724->1704 1731 423f5c-423f61 call 404e54 1724->1731 1744 424082-42408d 1725->1744 1745 423d29-423d2c 1725->1745 1726->1704 1747 42406b-42407d 1726->1747 1748 424130-424137 1728->1748 1749 423d5b 1728->1749 1738 424106-424119 call 4244e4 1729->1738 1739 42411b-42412e call 42453c 1729->1739 1731->1704 1756 423cc9-423cca 1735->1756 1757 423dde-423dec IsIconic 1735->1757 1758 423ebe-423ed1 call 423b24 1736->1758 1759 423eef-423f00 call 423b94 1736->1759 1738->1704 1739->1704 1741->1704 1762 423cf7 1742->1762 1763 423e1b-423e29 call 424188 1742->1763 1788 423e93-423eb0 call 423a94 PostMessageA 1743->1788 1789 423e71-423e8e call 423b24 PostMessageA 1743->1789 1744->1704 1750 424093-4240a5 1744->1750 1767 423d32 1745->1767 1768 423f66-423f6e 1745->1768 1747->1704 1765 42414a-424159 1748->1765 1766 424139-424148 1748->1766 1769 42415b-42415c call 423b94 1749->1769 1750->1704 1774 423cd0 1756->1774 1775 423da1-423da9 1756->1775 1781 423dfa-423e01 call 423b94 1757->1781 1782 423dee-423df5 call 423bd0 1757->1782 1803 423ee3-423eea call 423b94 1758->1803 1804 423ed3-423edd call 41ef68 1758->1804 1808 423f02-423f08 call 41eeb4 1759->1808 1809 423f16-423f1e call 423a94 1759->1809 1761->1704 1805 423ff5-424004 call 4181f0 IsWindowVisible 1761->1805 1762->1769 1763->1704 1765->1704 1766->1704 1767->1769 1768->1704 1772 423f74-423f7b 1768->1772 1797 424161 1769->1797 1772->1704 1790 423f81-423f90 call 4181f0 IsWindowEnabled 1772->1790 1773->1704 1774->1769 1775->1704 1791 423daf-423db4 call 422c5c 1775->1791 1781->1704 1782->1704 1788->1704 1789->1704 1790->1704 1819 423f96-423fac call 412320 1790->1819 1791->1704 1797->1704 1803->1704 1804->1803 1805->1704 1826 42400a-424055 GetFocus call 4181f0 SetFocus call 415250 SetFocus 1805->1826 1823 423f0d-423f10 1808->1823 1809->1704 1819->1704 1829 423fb2-423fbc 1819->1829 1823->1809 1826->1704 1829->1704
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8e2e69a12e9eff459782c0c50b644f6d48cf10d105da74f526d2b860ae1f2e99
                                                                                                              • Instruction ID: adb1057a9d0d7329e5210459a6b6756db00cf693e958207d3a560887342e2c6b
                                                                                                              • Opcode Fuzzy Hash: 8e2e69a12e9eff459782c0c50b644f6d48cf10d105da74f526d2b860ae1f2e99
                                                                                                              • Instruction Fuzzy Hash: EBE1A230700125EFD704EF69E989A6EB7B5EF94304F9480A6E545AB352C73CEE81DB08
                                                                                                              Function 00467710 Relevance: 15.6, APIs: 4, Strings: 4, Instructions: 1649windowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1989 467710-467726 1990 467730-4677e7 call 49514c call 402b30 * 6 1989->1990 1991 467728-46772b call 402d30 1989->1991 2008 467824-46783d 1990->2008 2009 4677e9-467810 call 41464c 1990->2009 1991->1990 2015 46783f-467866 call 41462c 2008->2015 2016 46787a-467888 call 495454 2008->2016 2013 467815-46781f call 41460c 2009->2013 2014 467812 2009->2014 2013->2008 2014->2013 2022 46786b-467875 call 4145ec 2015->2022 2023 467868 2015->2023 2024 46788a-467899 call 49529c 2016->2024 2025 46789b-46789d call 4953c0 2016->2025 2022->2016 2023->2022 2030 4678a2-4678f5 call 494db0 call 41a3e0 * 2 2024->2030 2025->2030 2037 467906-46791b call 451444 call 414b28 2030->2037 2038 4678f7-467904 call 414b28 2030->2038 2043 467920-467927 2037->2043 2038->2043 2045 46796f-467df5 call 4951ec call 495510 call 41462c * 3 call 4146cc call 4145ec * 3 call 460f68 call 460f80 call 460f8c call 460fd4 call 460f68 call 460f80 call 460f8c call 460fd4 call 460f80 call 460fd4 LoadBitmapA call 41d6c0 call 460fa4 call 460fbc call 4674ec call 469000 call 466b6c call 40357c call 414b28 call 466ea4 call 466eac call 466b6c call 40357c * 2 call 414b28 call 469000 call 466b6c call 414b28 call 466ea4 call 466eac call 414b28 * 2 call 469000 call 414b28 * 2 call 466ea4 call 41460c call 466ea4 call 41460c call 469000 call 414b28 call 466ea4 call 466eac call 469000 call 414b28 call 466ea4 call 41460c * 2 call 414b28 call 466ea4 call 41460c 2043->2045 2046 467929-46796a call 4146cc call 414710 call 420fa8 call 420fd4 call 420b78 call 420ba4 2043->2046 2176 467df7-467e4f call 41460c call 414b28 call 466ea4 call 41460c 2045->2176 2177 467e51-467e6a call 414a54 * 2 2045->2177 2046->2045 2185 467e6f-467f20 call 466b6c call 469000 call 466b6c call 414b28 call 495510 call 466ea4 2176->2185 2177->2185 2203 467f22-467f3d 2185->2203 2204 467f5a-468190 call 466b6c call 414b28 call 495520 * 2 call 42e8d0 call 41460c call 466ea4 call 41460c call 4181f0 call 42ed48 call 414b28 call 4951ec call 495510 call 41462c call 466b6c call 414b28 call 466ea4 call 41460c call 466b6c call 469000 call 466b6c call 414b28 call 466ea4 call 41460c call 466eac call 466b6c call 414b28 call 466ea4 2185->2204 2205 467f42-467f55 call 41460c 2203->2205 2206 467f3f 2203->2206 2265 468192-46819b 2204->2265 2266 4681d1-46828a call 466b6c call 469000 call 466b6c call 414b28 call 495510 call 466ea4 2204->2266 2205->2204 2206->2205 2265->2266 2267 46819d-4681cc call 414a54 call 466eac 2265->2267 2284 4682c4-4686e5 call 466b6c call 414b28 call 495520 * 2 call 42e8d0 call 41460c call 466ea4 call 41460c call 414b28 call 4951ec call 495510 call 41462c call 414b28 call 466b6c call 469000 call 466b6c call 414b28 call 466ea4 call 466eac call 42bbe0 call 495520 call 44e8c0 call 466b6c call 469000 call 466b6c call 469000 call 466b6c call 469000 * 2 call 414b28 call 466ea4 call 466eac call 469000 call 494db0 call 41a3e0 call 466b6c call 40357c call 414b28 call 466ea4 call 41460c call 414b28 * 2 call 495520 call 403494 call 40357c * 2 call 414b28 2266->2284 2285 46828c-4682a7 2266->2285 2267->2266 2384 4686e7-468704 call 44ffc8 call 450124 2284->2384 2385 468709-468710 2284->2385 2287 4682ac-4682bf call 41460c 2285->2287 2288 4682a9 2285->2288 2287->2284 2288->2287 2384->2385 2387 468734-46873b 2385->2387 2388 468712-46872f call 44ffc8 call 450124 2385->2388 2391 46875f-4687a5 call 4181f0 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 4690f4 2387->2391 2392 46873d-46875a call 44ffc8 call 450124 2387->2392 2388->2387 2405 4687a7-4687ae 2391->2405 2406 4687bf 2391->2406 2392->2391 2407 4687b0-4687b9 2405->2407 2408 4687bb-4687bd 2405->2408 2409 4687c1-4687d0 2406->2409 2407->2406 2407->2408 2408->2409 2410 4687d2-4687d9 2409->2410 2411 4687ea 2409->2411 2413 4687e6-4687e8 2410->2413 2414 4687db-4687e4 2410->2414 2412 4687ec-468806 2411->2412 2415 4688af-4688b6 2412->2415 2416 46880c-468815 2412->2416 2413->2412 2414->2411 2414->2413 2419 4688bc-4688df call 47bfd8 call 403450 2415->2419 2420 468949-468957 call 414b28 2415->2420 2417 468817-46886e call 47bfd8 call 414b28 call 47bfd8 call 414b28 call 47bfd8 call 414b28 2416->2417 2418 468870-4688aa call 414b28 * 3 2416->2418 2417->2415 2418->2415 2443 4688f0-468904 call 403494 2419->2443 2444 4688e1-4688ee call 47c178 2419->2444 2428 46895c-468965 2420->2428 2432 468a75-468aa4 call 42b97c call 44e84c 2428->2432 2433 46896b-468983 call 429fe8 2428->2433 2462 468b52-468b56 2432->2462 2463 468aaa-468aae 2432->2463 2445 468985-468989 2433->2445 2446 4689fa-4689fe 2433->2446 2458 468916-468947 call 42c814 call 42cbd0 call 403494 call 414b28 2443->2458 2459 468906-468911 call 403494 2443->2459 2444->2458 2454 46898b-4689c5 call 40b44c call 47bfd8 2445->2454 2452 468a00-468a09 2446->2452 2453 468a4e-468a52 2446->2453 2452->2453 2460 468a0b-468a16 2452->2460 2465 468a66-468a70 call 42a06c 2453->2465 2466 468a54-468a64 call 42a06c 2453->2466 2519 4689c7-4689ce 2454->2519 2520 4689f4-4689f8 2454->2520 2458->2428 2459->2458 2460->2453 2470 468a18-468a1c 2460->2470 2473 468bd5-468bd9 2462->2473 2474 468b58-468b5f 2462->2474 2472 468ab0-468ac2 call 40b44c 2463->2472 2465->2432 2466->2432 2478 468a1e-468a41 call 40b44c call 406acc 2470->2478 2497 468af4-468b2b call 47bfd8 call 44cb1c 2472->2497 2498 468ac4-468af2 call 47bfd8 call 44cbec 2472->2498 2481 468c42-468c4b 2473->2481 2482 468bdb-468bf2 call 40b44c 2473->2482 2474->2473 2483 468b61-468b68 2474->2483 2529 468a43-468a46 2478->2529 2530 468a48-468a4c 2478->2530 2490 468c4d-468c65 call 40b44c call 469d68 2481->2490 2491 468c6a-468c7f call 46724c call 466fc8 2481->2491 2511 468bf4-468c30 call 40b44c call 469d68 * 2 call 469c08 2482->2511 2512 468c32-468c40 call 469d68 2482->2512 2483->2473 2493 468b6a-468b75 2483->2493 2490->2491 2538 468cd1-468cdb call 414a54 2491->2538 2539 468c81-468ca4 call 42a050 call 40b44c 2491->2539 2493->2491 2501 468b7b-468b7f 2493->2501 2540 468b30-468b34 2497->2540 2498->2540 2513 468b81-468b97 call 40b44c 2501->2513 2511->2491 2512->2491 2536 468bca-468bce 2513->2536 2537 468b99-468bc5 call 42a06c call 469d68 call 469c08 2513->2537 2519->2520 2531 4689d0-4689e2 call 406acc 2519->2531 2520->2446 2520->2454 2529->2453 2530->2453 2530->2478 2531->2520 2557 4689e4-4689ee 2531->2557 2536->2513 2550 468bd0 2536->2550 2537->2491 2552 468ce0-468cff call 414a54 2538->2552 2571 468ca6-468cad 2539->2571 2572 468caf-468cbe call 414a54 2539->2572 2548 468b36-468b3d 2540->2548 2549 468b3f-468b41 2540->2549 2548->2549 2556 468b48-468b4c 2548->2556 2549->2556 2550->2491 2567 468d01-468d24 call 42a050 call 469ec8 2552->2567 2568 468d29-468d4c call 47bfd8 call 403450 2552->2568 2556->2462 2556->2472 2557->2520 2562 4689f0 2557->2562 2562->2520 2567->2568 2586 468d4e-468d57 2568->2586 2587 468d68-468d71 2568->2587 2571->2572 2576 468cc0-468ccf call 414a54 2571->2576 2572->2552 2576->2552 2586->2587 2590 468d59-468d66 call 47c178 2586->2590 2588 468d87-468d97 call 403494 2587->2588 2589 468d73-468d85 call 403684 2587->2589 2597 468da9-468dc0 call 414b28 2588->2597 2589->2588 2598 468d99-468da4 call 403494 2589->2598 2590->2597 2602 468df6-468e00 call 414a54 2597->2602 2603 468dc2-468dc9 2597->2603 2598->2597 2608 468e05-468e2a call 403400 * 3 2602->2608 2605 468dd6-468de0 call 42b0f4 2603->2605 2606 468dcb-468dd4 2603->2606 2609 468de5-468df4 call 414a54 2605->2609 2606->2605 2606->2609 2609->2608
                                                                                                              APIs
                                                                                                                • Part of subcall function 0049529C: GetWindowRect.USER32(00000000), ref: 004952B2
                                                                                                              • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467ADF
                                                                                                                • Part of subcall function 0041D6C0: GetObjectA.GDI32(?,00000018,00467AF9), ref: 0041D6EB
                                                                                                                • Part of subcall function 004674EC: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046758F
                                                                                                                • Part of subcall function 004674EC: ExtractIconA.SHELL32(00400000,00000000,?), ref: 004675B5
                                                                                                                • Part of subcall function 004674EC: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 0046760C
                                                                                                                • Part of subcall function 00466EAC: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467B94,00000000,00000000,00000000,0000000C,00000000), ref: 00466EC4
                                                                                                                • Part of subcall function 00495520: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 0049552A
                                                                                                                • Part of subcall function 0042ED48: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDB8
                                                                                                                • Part of subcall function 0042ED48: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDD5
                                                                                                                • Part of subcall function 004951EC: 73EAA570.USER32(00000000,?,?,?), ref: 0049520E
                                                                                                                • Part of subcall function 004951EC: SelectObject.GDI32(?,00000000), ref: 00495234
                                                                                                                • Part of subcall function 004951EC: 73EAA480.USER32(00000000,?,00495292,0049528B,?,00000000,?,?,?), ref: 00495285
                                                                                                                • Part of subcall function 00495510: MulDiv.KERNEL32(0000004B,?,00000006), ref: 0049551A
                                                                                                              • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,02149DBC,0214B940,?,?,0214B970,?,?,0214B9C0,?), ref: 00468769
                                                                                                              • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046877A
                                                                                                              • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468792
                                                                                                                • Part of subcall function 0042A06C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A082
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$AppendExtractIconObject$A480A570AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectSelectSendSystemUserWindow
                                                                                                              • String ID: $(Default)$STOPIMAGE$k H
                                                                                                              • API String ID: 3271511185-4041106330
                                                                                                              • Opcode ID: 8c5f56ff46f7a67da8681be0a4bf9e1c58ad281b7cd8555ea36c903984038836
                                                                                                              • Instruction ID: 2b4e5e33b1fbe28ecfb2af168a793b611adbc31a6fcb8730d9662ddd01b2079a
                                                                                                              • Opcode Fuzzy Hash: 8c5f56ff46f7a67da8681be0a4bf9e1c58ad281b7cd8555ea36c903984038836
                                                                                                              • Instruction Fuzzy Hash: 6CF2C7386005208FCB00EB59D9D9F9973F5BF49304F1582BAF5049B36ADB74AC46CB9A
                                                                                                              Function 004751F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00475362,?,?,0049C1D0,00000000), ref: 00475251
                                                                                                              • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00475362,?,?,0049C1D0,00000000), ref: 0047532E
                                                                                                              • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00475362,?,?,0049C1D0,00000000), ref: 0047533C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$File$CloseFirstNext
                                                                                                              • String ID: unins$unins???.*
                                                                                                              • API String ID: 3541575487-1009660736
                                                                                                              • Opcode ID: a837fad0235e4b9e7aba6803d3a4e161a7614f9d7543318200369ea6c4804c70
                                                                                                              • Instruction ID: 9ba6e551af2be01ae54f2bf6d4feb37662207b66b60327addd096aea054bc42d
                                                                                                              • Opcode Fuzzy Hash: a837fad0235e4b9e7aba6803d3a4e161a7614f9d7543318200369ea6c4804c70
                                                                                                              • Instruction Fuzzy Hash: 333153706005489FDB10EB65D981ADE77B9EF44344F5080F6A80CAB3B2DBB89F418B58
                                                                                                              Function 00452A4C Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AAF,?,?,-00000001,00000000), ref: 00452A89
                                                                                                              • GetLastError.KERNEL32(00000000,?,00000000,00452AAF,?,?,-00000001,00000000), ref: 00452A91
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileFindFirstLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 873889042-0
                                                                                                              • Opcode ID: 8734e5af750e444322e05c8d8760e218afcb813f3cdff8847798d95c72a82f1b
                                                                                                              • Instruction ID: 2517da8cadb6fb7e7a3bde91136fc32a544ec95f0d2c756002249f4fd287b9db
                                                                                                              • Opcode Fuzzy Hash: 8734e5af750e444322e05c8d8760e218afcb813f3cdff8847798d95c72a82f1b
                                                                                                              • Instruction Fuzzy Hash: B9F0F971A04604AB8B20DBA69D0149EB7ACEB46725710467BFC14E3292EAB94E048558
                                                                                                              Function 0046E38C Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetVersion.KERNEL32(00000526,0046E422), ref: 0046E396
                                                                                                              • CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,00000526,0046E422), ref: 0046E3B2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateInstanceVersion
                                                                                                              • String ID:
                                                                                                              • API String ID: 1462612201-0
                                                                                                              • Opcode ID: 8ad8c01d14ab9cfbb68706b1f8329e070a5efeb3acbbf88c6fea7131f03e9687
                                                                                                              • Instruction ID: ca204bcfc643a6eeda20b237376823326e775e7ff9cf44b6f5c5a065e078b710
                                                                                                              • Opcode Fuzzy Hash: 8ad8c01d14ab9cfbb68706b1f8329e070a5efeb3acbbf88c6fea7131f03e9687
                                                                                                              • Instruction Fuzzy Hash: 80F0A035282200DEEB1097AADC45B4A37C1BB20718F40007BF440D7391E3FDD8908A5F
                                                                                                              Function 00408570 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale
                                                                                                              • String ID:
                                                                                                              • API String ID: 2299586839-0
                                                                                                              • Opcode ID: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
                                                                                                              • Instruction ID: d3b8e551ebd18b966166ca098383beb9494d3946d3c482517005b7019d2e894c
                                                                                                              • Opcode Fuzzy Hash: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
                                                                                                              • Instruction Fuzzy Hash: EEE0D87170021467D711A95A9C869F7B35CA758314F00427FB949EB3C2EDB8DE8046ED
                                                                                                              Function 00423B94 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424161,?,00000000,0042416C), ref: 00423BBE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NtdllProc_Window
                                                                                                              • String ID:
                                                                                                              • API String ID: 4255912815-0
                                                                                                              • Opcode ID: f802b11f0c681854f79c5f1da5c1baf03ca951e6abaa2e26ef8ced90cdb9169e
                                                                                                              • Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
                                                                                                              • Opcode Fuzzy Hash: f802b11f0c681854f79c5f1da5c1baf03ca951e6abaa2e26ef8ced90cdb9169e
                                                                                                              • Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94
                                                                                                              Function 00455588 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NameUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2645101109-0
                                                                                                              • Opcode ID: cd9d261bbe345dbfbc1978f69ea3c80f8509ceaa1a51dcff4dfe5a18c54a8916
                                                                                                              • Instruction ID: 445fb77b721d6e8bc33303137c5d79e403f1e24c04085a252f4bbff9531eb306
                                                                                                              • Opcode Fuzzy Hash: cd9d261bbe345dbfbc1978f69ea3c80f8509ceaa1a51dcff4dfe5a18c54a8916
                                                                                                              • Instruction Fuzzy Hash: 6AD0C271304704A3C700AAA99C825AA35DD8B84315F00483F3CC6DA3C3FABDDA481696
                                                                                                              Function 0042F530 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F54C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NtdllProc_Window
                                                                                                              • String ID:
                                                                                                              • API String ID: 4255912815-0
                                                                                                              • Opcode ID: 333668ea2a957bd6a9fe502da343e78d2fcb082c63b96445e07994a194d2f0c0
                                                                                                              • Instruction ID: 55aff4e3ab0814f5b97a0c0db1ec4da333d3f7c11773d115dc143ade784a7ab4
                                                                                                              • Opcode Fuzzy Hash: 333668ea2a957bd6a9fe502da343e78d2fcb082c63b96445e07994a194d2f0c0
                                                                                                              • Instruction Fuzzy Hash: BAD05E7120010C7B9B00DE9CE840C6B33BC9B88700BA08825F918C7202C634ED5187A8
                                                                                                              Function 0046F300 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 500registryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 406 46f300-46f332 407 46f334-46f33b 406->407 408 46f34f 406->408 409 46f346-46f34d 407->409 410 46f33d-46f344 407->410 411 46f356-46f38e call 403634 call 403738 call 42ded0 408->411 409->411 410->408 410->409 418 46f390-46f3a4 call 403738 call 42ded0 411->418 419 46f3a9-46f3d2 call 403738 call 42ddf4 411->419 418->419 427 46f3d4-46f3dd call 46efd0 419->427 428 46f3e2-46f40b call 46f0ec 419->428 427->428 432 46f41d-46f420 call 403400 428->432 433 46f40d-46f41b call 403494 428->433 437 46f425-46f470 call 46f0ec call 42c40c call 46f134 call 46f0ec 432->437 433->437 446 46f486-46f4a7 call 455588 call 46f0ec 437->446 447 46f472-46f485 call 46f15c 437->447 454 46f4fd-46f504 446->454 455 46f4a9-46f4fc call 46f0ec call 431414 call 46f0ec call 431414 call 46f0ec 446->455 447->446 456 46f506-46f543 call 431414 call 46f0ec call 431414 call 46f0ec 454->456 457 46f544-46f54b 454->457 455->454 456->457 460 46f58c-46f5b1 call 40b44c call 46f0ec 457->460 461 46f54d-46f58b call 46f0ec * 3 457->461 479 46f5b3-46f5be call 47bfd8 460->479 480 46f5c0-46f5c9 call 403494 460->480 461->460 491 46f5ce-46f5d9 call 478d20 479->491 480->491 496 46f5e2 491->496 497 46f5db-46f5e0 491->497 498 46f5e7-46f7b1 call 403778 call 46f0ec call 47bfd8 call 46f134 call 403494 call 40357c * 2 call 46f0ec call 403494 call 40357c * 2 call 46f0ec call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 496->498 497->498 561 46f7c7-46f7d5 call 46f15c 498->561 562 46f7b3-46f7c5 call 46f0ec 498->562 566 46f7da 561->566 567 46f7db-46f824 call 46f15c call 46f190 call 46f0ec call 47bfd8 call 46f1f4 562->567 566->567 578 46f826-46f849 call 46f15c * 2 567->578 579 46f84a-46f857 567->579 578->579 580 46f926-46f92d 579->580 581 46f85d-46f864 579->581 585 46f987-46f99d RegCloseKey 580->585 586 46f92f-46f965 call 4946bc 580->586 583 46f866-46f86d 581->583 584 46f8d1-46f8e0 581->584 583->584 589 46f86f-46f893 call 430bdc 583->589 588 46f8e3-46f8f0 584->588 586->585 592 46f907-46f920 call 430c18 call 46f15c 588->592 593 46f8f2-46f8ff 588->593 589->588 601 46f895-46f896 589->601 604 46f925 592->604 593->592 597 46f901-46f905 593->597 597->580 597->592 603 46f898-46f8be call 40b44c call 47954c 601->603 609 46f8c0-46f8c6 call 430bdc 603->609 610 46f8cb-46f8cd 603->610 604->580 609->610 610->603 612 46f8cf 610->612 612->588
                                                                                                              APIs
                                                                                                                • Part of subcall function 0046F0EC: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,004763FA,?,0049C1D0,?,0046F403,?,00000000,0046F99E,?,_is1), ref: 0046F10F
                                                                                                                • Part of subcall function 0046F15C: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F7DA,?,?,00000000,0046F99E,?,_is1,?), ref: 0046F16F
                                                                                                              • RegCloseKey.ADVAPI32(?,0046F9A5,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F9F0,?,?,0049C1D0,00000000), ref: 0046F998
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Value$Close
                                                                                                              • String ID: " /SILENT$5.5.0 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                                              • API String ID: 3391052094-1769338133
                                                                                                              • Opcode ID: 67f6315d958a58f45cb4284f97db66795a1d98a02650a50bcbb58ac39832d899
                                                                                                              • Instruction ID: 138fe2a8aa43a8f2517aa1aee13eacc10811dc4b0cf032f1bf39601b5d09dcc5
                                                                                                              • Opcode Fuzzy Hash: 67f6315d958a58f45cb4284f97db66795a1d98a02650a50bcbb58ac39832d899
                                                                                                              • Instruction Fuzzy Hash: 96126331A001089BCB04EB55F891ADE77F5FB49304F60807BE841AB396EB79BD49CB59
                                                                                                              Function 00492208 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1027 492208-49223c call 403684 1030 49223e-49224d call 446fac Sleep 1027->1030 1031 492252-49225f call 403684 1027->1031 1036 4926e2-4926fc call 403420 1030->1036 1037 49228e-49229b call 403684 1031->1037 1038 492261-492284 call 447008 call 403738 FindWindowA call 447288 1031->1038 1046 4922ca-4922d7 call 403684 1037->1046 1047 49229d-4922c5 call 447008 call 403738 FindWindowA call 447288 1037->1047 1056 492289 1038->1056 1054 4922d9-49231b call 446fac * 4 SendMessageA call 447288 1046->1054 1055 492320-49232d call 403684 1046->1055 1047->1036 1054->1036 1064 49237c-492389 call 403684 1055->1064 1065 49232f-492377 call 446fac * 4 PostMessageA call 4470e0 1055->1065 1056->1036 1076 4923d8-4923e5 call 403684 1064->1076 1077 49238b-4923d3 call 446fac * 4 SendNotifyMessageA call 4470e0 1064->1077 1065->1036 1089 492412-49241f call 403684 1076->1089 1090 4923e7-49240d call 447008 call 403738 RegisterClipboardFormatA call 447288 1076->1090 1077->1036 1102 492421-49245b call 446fac * 3 SendMessageA call 447288 1089->1102 1103 492460-49246d call 403684 1089->1103 1090->1036 1102->1036 1115 49246f-4924af call 446fac * 3 PostMessageA call 4470e0 1103->1115 1116 4924b4-4924c1 call 403684 1103->1116 1115->1036 1128 492508-492515 call 403684 1116->1128 1129 4924c3-492503 call 446fac * 3 SendNotifyMessageA call 4470e0 1116->1129 1140 49256a-492577 call 403684 1128->1140 1141 492517-492535 call 447008 call 42e3a4 1128->1141 1129->1036 1151 492579-4925a5 call 447008 call 403738 call 446fac GetProcAddress 1140->1151 1152 4925f1-4925fe call 403684 1140->1152 1158 492547-492555 GetLastError call 447288 1141->1158 1159 492537-492545 call 447288 1141->1159 1183 4925e1-4925ec call 4470e0 1151->1183 1184 4925a7-4925dc call 446fac * 2 call 447288 call 4470e0 1151->1184 1164 492600-492621 call 446fac FreeLibrary call 4470e0 1152->1164 1165 492626-492633 call 403684 1152->1165 1170 49255a-492565 call 447288 1158->1170 1159->1170 1164->1036 1180 492658-492665 call 403684 1165->1180 1181 492635-492653 call 447008 call 403738 CreateMutexA 1165->1181 1170->1036 1191 49269b-4926a8 call 403684 1180->1191 1192 492667-492699 call 48c638 call 403574 call 403738 OemToCharBuffA call 48c650 1180->1192 1181->1036 1183->1036 1184->1036 1204 4926aa-4926dc call 48c638 call 403574 call 403738 CharToOemBuffA call 48c650 1191->1204 1205 4926de 1191->1205 1192->1036 1204->1036 1205->1036
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(00000000,00000000,004926FD,?,?,?,?,00000000,00000000,00000000), ref: 00492248
                                                                                                              • FindWindowA.USER32(00000000,00000000), ref: 00492279
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FindSleepWindow
                                                                                                              • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                                              • API String ID: 3078808852-3310373309
                                                                                                              • Opcode ID: c1ec15085ba63eb54c7011cdac0519612329d97296155b19e28ce0d5a23e6700
                                                                                                              • Instruction ID: d4b9d66e752ac066ee841e8e0b6dcdad2790022369f15f3c2d7e05b7c0e56f01
                                                                                                              • Opcode Fuzzy Hash: c1ec15085ba63eb54c7011cdac0519612329d97296155b19e28ce0d5a23e6700
                                                                                                              • Instruction Fuzzy Hash: 7BC18360B042003BDB14BE3E8D4651F599AAF98704B21DA3FB446EB78BDE7DDC0A4359
                                                                                                              Function 004834FC Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1589 4834fc-483521 GetModuleHandleA GetProcAddress 1590 483588-48358d GetSystemInfo 1589->1590 1591 483523-483539 GetNativeSystemInfo GetProcAddress 1589->1591 1592 483592-48359b 1590->1592 1591->1592 1593 48353b-483546 GetCurrentProcess 1591->1593 1594 4835ab-4835b2 1592->1594 1595 48359d-4835a1 1592->1595 1593->1592 1602 483548-48354c 1593->1602 1598 4835cd-4835d2 1594->1598 1596 4835a3-4835a7 1595->1596 1597 4835b4-4835bb 1595->1597 1600 4835a9-4835c6 1596->1600 1601 4835bd-4835c4 1596->1601 1597->1598 1600->1598 1601->1598 1602->1592 1604 48354e-483555 call 452708 1602->1604 1604->1592 1607 483557-483564 GetProcAddress 1604->1607 1607->1592 1608 483566-48357d GetModuleHandleA GetProcAddress 1607->1608 1608->1592 1609 48357f-483586 1608->1609 1609->1592
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0048350D
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0048351A
                                                                                                              • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483528
                                                                                                              • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483530
                                                                                                              • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 0048353C
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 0048355D
                                                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483570
                                                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483576
                                                                                                              • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0048358D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                                              • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                                              • API String ID: 2230631259-2623177817
                                                                                                              • Opcode ID: 902794c9b05e674b3c8cbfb7d2ebb6c35b92e2ba612f62c852d4d82e66413226
                                                                                                              • Instruction ID: aef9cc714e700b71c16e3c25fef244724f393c0ebf8792b51c17ae6c670cb8ad
                                                                                                              • Opcode Fuzzy Hash: 902794c9b05e674b3c8cbfb7d2ebb6c35b92e2ba612f62c852d4d82e66413226
                                                                                                              • Instruction Fuzzy Hash: 3C11B181104341B4DA22BB799C4AB7FA5C88B14F1EF084C3B6C41662C2DBBCCF45972E
                                                                                                              Function 004690F4 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1615 4690f4-46912c call 47bfd8 1618 469132-469142 call 478d40 1615->1618 1619 46930e-469328 call 403420 1615->1619 1624 469147-46918c call 4078fc call 403738 call 42de2c 1618->1624 1630 469191-469193 1624->1630 1631 469304-469308 1630->1631 1632 469199-4691ae 1630->1632 1631->1619 1631->1624 1633 4691c3-4691ca 1632->1633 1634 4691b0-4691be call 42dd5c 1632->1634 1635 4691f7-4691fe 1633->1635 1636 4691cc-4691ee call 42dd5c call 42dd74 1633->1636 1634->1633 1639 469257-46925e 1635->1639 1640 469200-469225 call 42dd5c * 2 1635->1640 1636->1635 1655 4691f0 1636->1655 1642 4692a4-4692ab 1639->1642 1643 469260-469272 call 42dd5c 1639->1643 1662 469227-469230 call 431508 1640->1662 1663 469235-469247 call 42dd5c 1640->1663 1648 4692e6-4692fc RegCloseKey 1642->1648 1649 4692ad-4692e1 call 42dd5c * 3 1642->1649 1656 469274-46927d call 431508 1643->1656 1657 469282-469294 call 42dd5c 1643->1657 1649->1648 1655->1635 1656->1657 1657->1642 1670 469296-46929f call 431508 1657->1670 1662->1663 1663->1639 1671 469249-469252 call 431508 1663->1671 1670->1642 1671->1639
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegCloseKey.ADVAPI32(?,0046930E,?,?,00000001,00000000,00000000,00469329,?,00000000,00000000,?), ref: 004692F7
                                                                                                              Strings
                                                                                                              • Inno Setup: Setup Type, xrefs: 00469206
                                                                                                              • Inno Setup: Selected Tasks, xrefs: 00469263
                                                                                                              • Inno Setup: No Icons, xrefs: 004691DF
                                                                                                              • Inno Setup: App Path, xrefs: 004691B6
                                                                                                              • Inno Setup: User Info: Name, xrefs: 004692B3
                                                                                                              • Inno Setup: Deselected Components, xrefs: 00469238
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00469153
                                                                                                              • Inno Setup: Icon Group, xrefs: 004691D2
                                                                                                              • Inno Setup: Deselected Tasks, xrefs: 00469285
                                                                                                              • Inno Setup: Selected Components, xrefs: 00469216
                                                                                                              • Inno Setup: User Info: Serial, xrefs: 004692D9
                                                                                                              • %s\%s_is1, xrefs: 00469171
                                                                                                              • Inno Setup: User Info: Organization, xrefs: 004692C6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen
                                                                                                              • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                              • API String ID: 47109696-1093091907
                                                                                                              • Opcode ID: 25db79955295e6fcdf5aa6e288321b734c42c3c57179da3fb439077398282def
                                                                                                              • Instruction ID: 061cd232f3236ea8aa9d1be5d6e88d15b117e94232a8cb9589ebe07a9024ca8b
                                                                                                              • Opcode Fuzzy Hash: 25db79955295e6fcdf5aa6e288321b734c42c3c57179da3fb439077398282def
                                                                                                              • Instruction Fuzzy Hash: 2451A530A007049BCB11DB65D991BDEB7F9EF49304F5084BAE841A7391E778AE05CB59
                                                                                                              Function 0047CB30 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1944 47cb30-47cb86 call 42c40c call 4035c0 call 47c7a8 call 4525c4 1953 47cb92-47cba1 call 4525c4 1944->1953 1954 47cb88-47cb8d call 453330 1944->1954 1958 47cba3-47cba9 1953->1958 1959 47cbbb-47cbc1 1953->1959 1954->1953 1960 47cbcb-47cbd3 call 403494 1958->1960 1961 47cbab-47cbb1 1958->1961 1962 47cbc3-47cbc9 1959->1962 1963 47cbd8-47cc00 call 42e3a4 * 2 1959->1963 1960->1963 1961->1959 1965 47cbb3-47cbb9 1961->1965 1962->1960 1962->1963 1970 47cc27-47cc41 GetProcAddress 1963->1970 1971 47cc02-47cc22 call 4078fc call 453330 1963->1971 1965->1959 1965->1960 1973 47cc43-47cc48 call 453330 1970->1973 1974 47cc4d-47cc6a call 403400 * 2 1970->1974 1971->1970 1973->1974
                                                                                                              APIs
                                                                                                              • GetProcAddress.KERNEL32(74AA0000,SHGetFolderPathA), ref: 0047CC32
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc
                                                                                                              • String ID: -rI$Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                                              • API String ID: 190572456-1821436788
                                                                                                              • Opcode ID: 6ffe9b8d239fe87f34ca3bad4a2ef70314c6aab1a19caa776437c1588b9a665e
                                                                                                              • Instruction ID: 6634b889f1a60bd4549a24dd6789ad2f54a0d6468ac2a8038bb9781f42ef23c6
                                                                                                              • Opcode Fuzzy Hash: 6ffe9b8d239fe87f34ca3bad4a2ef70314c6aab1a19caa776437c1588b9a665e
                                                                                                              • Instruction Fuzzy Hash: 8531E970A00109DFCF11EFA9D9D29EEB7B5EB44304B60847BE808E7241D738AE458B6D
                                                                                                              Function 00406334 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1982 406334-40634e GetModuleHandleA GetProcAddress 1983 406350 1982->1983 1984 406357-406364 GetProcAddress 1982->1984 1983->1984 1985 406366 1984->1985 1986 40636d-40637a GetProcAddress 1984->1986 1985->1986 1987 406380-406381 1986->1987 1988 40637c-40637e SetProcessDEPPolicy 1986->1988 1988->1987
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498590), ref: 0040633A
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
                                                                                                              • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498590), ref: 0040637E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleModulePolicyProcess
                                                                                                              • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                                              • API String ID: 3256987805-3653653586
                                                                                                              • Opcode ID: 44a467ebc0bbd25a117d5635929f8822d44e7a6198a0967341d1dbca25e1581a
                                                                                                              • Instruction ID: d0a9e1fb4642b92a4408cab99680119fc9d423cfedcded744397bec81fc197df
                                                                                                              • Opcode Fuzzy Hash: 44a467ebc0bbd25a117d5635929f8822d44e7a6198a0967341d1dbca25e1581a
                                                                                                              • Instruction Fuzzy Hash: C6E026A1380701ACEA1436F20D82F7B10488B40B64B2A14373D5AB91C3D9BDD92459BD
                                                                                                              Function 00423884 Relevance: 15.1, APIs: 10, Instructions: 98windowregistryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2618 423884-42388e 2619 4239b7-4239bb 2618->2619 2620 423894-4238b6 call 41f3d4 GetClassInfoA 2618->2620 2623 4238e7-4238f0 GetSystemMetrics 2620->2623 2624 4238b8-4238cf RegisterClassA 2620->2624 2626 4238f2 2623->2626 2627 4238f5-4238ff GetSystemMetrics 2623->2627 2624->2623 2625 4238d1-4238e2 call 408cc4 call 40311c 2624->2625 2625->2623 2626->2627 2628 423901 2627->2628 2629 423904-423960 call 403738 call 406300 call 403400 call 42365c SetWindowLongA 2627->2629 2628->2629 2641 423962-423975 call 424188 SendMessageA 2629->2641 2642 42397a-4239a8 GetSystemMenu DeleteMenu * 2 2629->2642 2641->2642 2642->2619 2644 4239aa-4239b2 DeleteMenu 2642->2644 2644->2619
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041F3D4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                                                              • GetClassInfoA.USER32(00400000,0042368C), ref: 004238AF
                                                                                                              • RegisterClassA.USER32(00499630), ref: 004238C7
                                                                                                              • GetSystemMetrics.USER32(00000000), ref: 004238E9
                                                                                                              • GetSystemMetrics.USER32(00000001), ref: 004238F8
                                                                                                              • SetWindowLongA.USER32(00410660,000000FC,0042369C), ref: 00423954
                                                                                                              • SendMessageA.USER32(00410660,00000080,00000001,00000000), ref: 00423975
                                                                                                              • GetSystemMenu.USER32(00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 00423980
                                                                                                              • DeleteMenu.USER32(00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 0042398F
                                                                                                              • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042399C
                                                                                                              • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239B2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 183575631-0
                                                                                                              • Opcode ID: f8f7b9d3de02a5f634ff8a39374b78efb95d56f414cac3a76e6abeb800e2fe0e
                                                                                                              • Instruction ID: c8b20579a229f032ee7a03b4d787949f367ffe63dd75f0d430c9c3a529dbdbac
                                                                                                              • Opcode Fuzzy Hash: f8f7b9d3de02a5f634ff8a39374b78efb95d56f414cac3a76e6abeb800e2fe0e
                                                                                                              • Instruction Fuzzy Hash: 813172B17402006AEB10AF65AC82F6B36989B14308F10017BFA40AE2D3C6BDDD40876D
                                                                                                              Function 004674EC Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 141windowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2646 4674ec-467596 call 41462c call 41464c call 41462c call 41464c SHGetFileInfo 2655 4675cb-4675d6 call 478d20 2646->2655 2656 467598-46759f 2646->2656 2661 467627-46763a call 47cff4 2655->2661 2662 4675d8-46761d call 42c40c call 40357c call 403738 ExtractIconA call 46742c 2655->2662 2656->2655 2658 4675a1-4675c6 ExtractIconA call 46742c 2656->2658 2658->2655 2668 46763c-467646 call 47cff4 2661->2668 2669 46764b-46764f 2661->2669 2684 467622 2662->2684 2668->2669 2671 467651-467674 call 403738 SHGetFileInfo 2669->2671 2672 4676a9-4676dd call 403400 * 2 2669->2672 2671->2672 2680 467676-46767d 2671->2680 2680->2672 2683 46767f-4676a4 ExtractIconA call 46742c 2680->2683 2683->2672 2684->2672
                                                                                                              APIs
                                                                                                              • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046758F
                                                                                                              • ExtractIconA.SHELL32(00400000,00000000,?), ref: 004675B5
                                                                                                                • Part of subcall function 0046742C: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 004674C4
                                                                                                                • Part of subcall function 0046742C: DestroyCursor.USER32(00000000), ref: 004674DA
                                                                                                              • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 0046760C
                                                                                                              • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 0046766D
                                                                                                              • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467693
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                                              • String ID: c:\directory$k H$shell32.dll
                                                                                                              • API String ID: 3376378930-433663191
                                                                                                              • Opcode ID: 29e72a9552dfdc2cbc6caa590d21046d5f8b548d470bab6826c497dca36ee432
                                                                                                              • Instruction ID: 265839c963417482dd86c951db209f81288bb0a388fd09f062db7983cc26d63d
                                                                                                              • Opcode Fuzzy Hash: 29e72a9552dfdc2cbc6caa590d21046d5f8b548d470bab6826c497dca36ee432
                                                                                                              • Instruction Fuzzy Hash: B2516070604604AFDB10EF69CD89FDFB7E8EB48318F1081A6F9049B391D6399E81CA59
                                                                                                              Function 0042F570 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2688 42f570-42f57a 2689 42f584-42f5c1 call 402b30 GetActiveWindow GetFocus call 41eeb4 2688->2689 2690 42f57c-42f57f call 402d30 2688->2690 2696 42f5d3-42f5db 2689->2696 2697 42f5c3-42f5cd RegisterClassA 2689->2697 2690->2689 2698 42f662-42f67e SetFocus call 403400 2696->2698 2699 42f5e1-42f612 CreateWindowExA 2696->2699 2697->2696 2699->2698 2701 42f614-42f658 call 42428c call 403738 CreateWindowExA 2699->2701 2701->2698 2707 42f65a-42f65d ShowWindow 2701->2707 2707->2698
                                                                                                              APIs
                                                                                                              • GetActiveWindow.USER32 ref: 0042F59F
                                                                                                              • GetFocus.USER32 ref: 0042F5A7
                                                                                                              • RegisterClassA.USER32(004997AC), ref: 0042F5C8
                                                                                                              • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F69C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F606
                                                                                                              • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F64C
                                                                                                              • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F65D
                                                                                                              • SetFocus.USER32(00000000,00000000,0042F67F,?,?,?,00000001,00000000,?,00458696,00000000,0049B628), ref: 0042F664
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                                              • String ID: TWindowDisabler-Window
                                                                                                              • API String ID: 3167913817-1824977358
                                                                                                              • Opcode ID: b2433ce4ffe1b1f942b14f487daced2f86516ced4add7bc415a00a8a37101852
                                                                                                              • Instruction ID: 092f1afd63313efa57bcf667ad1f00c9caddf595d34af2871f870ebe591ae418
                                                                                                              • Opcode Fuzzy Hash: b2433ce4ffe1b1f942b14f487daced2f86516ced4add7bc415a00a8a37101852
                                                                                                              • Instruction Fuzzy Hash: 20219F70740710BAE710EF62AD03F1A76A8EB04B04FA1413AF504AB2D1D7B96D5586ED
                                                                                                              Function 004531DC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 004531FC
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453202
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 00453216
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045321C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                              • API String ID: 1646373207-2130885113
                                                                                                              • Opcode ID: c24ac2f37dcd2c5f05e81832aa1b687e7eaf3d26bd242744e205e68ddaa02280
                                                                                                              • Instruction ID: 5e931287d6eebe3694b70f0ad3549e6df422da746536320e83a51589c54bb73f
                                                                                                              • Opcode Fuzzy Hash: c24ac2f37dcd2c5f05e81832aa1b687e7eaf3d26bd242744e205e68ddaa02280
                                                                                                              • Instruction Fuzzy Hash: 5B017570240B45AFD711AF73AD02F167658E705B57F6044BBFC0096286D77C8A088EAD
                                                                                                              Function 0047C800 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 108COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047C973,?,?,00000000,0049B628,00000000,00000000,?,00497F09,00000000,004980B2,?,00000000), ref: 0047C893
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,0047C973,?,?,00000000,0049B628,00000000,00000000,?,00497F09,00000000,004980B2,?,00000000), ref: 0047C89C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                                              • String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup
                                                                                                              • API String ID: 1375471231-1421604804
                                                                                                              • Opcode ID: 20565183d399805a0260eecee190a14380a82a44589236b9bd3091d604848e13
                                                                                                              • Instruction ID: 2e7cf1fa8793a22cdcb7cccf6aa375e82942df810c5d1ff78a46bc34c798803d
                                                                                                              • Opcode Fuzzy Hash: 20565183d399805a0260eecee190a14380a82a44589236b9bd3091d604848e13
                                                                                                              • Instruction Fuzzy Hash: 65411474A001099BDB00EFA5D8C2ADEB7B9EB44309F50857BE91477392DB389E058B69
                                                                                                              Function 00430950 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430958
                                                                                                              • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430967
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00430981
                                                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 004309A2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                                              • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                                              • API String ID: 4130936913-2943970505
                                                                                                              • Opcode ID: 78856a4ce41e30232f7250bb6d0de12fd7185dbc6f50e75004d9522d85a73123
                                                                                                              • Instruction ID: fe08fc0df2a0eca0a869f0df0621173a2940aa0bc2523ddfe777e35bb070d714
                                                                                                              • Opcode Fuzzy Hash: 78856a4ce41e30232f7250bb6d0de12fd7185dbc6f50e75004d9522d85a73123
                                                                                                              • Instruction Fuzzy Hash: 30F082B0958340CEE300EB25994271A7BE0EF58318F00467FF498A63E2D7399900CB5F
                                                                                                              Function 004723E4 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 263fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,004725B5,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951), ref: 00472591
                                                                                                              • FindClose.KERNEL32(000000FF,004725BC,004725B5,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951,?), ref: 004725AF
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,004726D7,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951), ref: 004726B3
                                                                                                              • FindClose.KERNEL32(000000FF,004726DE,004726D7,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951,?), ref: 004726D1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$CloseFileNext
                                                                                                              • String ID: "*G$"*G
                                                                                                              • API String ID: 2066263336-450946878
                                                                                                              • Opcode ID: 731f9d001d9b8b0b4781793d64753bce726ea54262d8f8a63928cd792b5168e5
                                                                                                              • Instruction ID: 3872decae14ce2498a692a517acaa1cf84d86a609609514027ee2c14d85ef847
                                                                                                              • Opcode Fuzzy Hash: 731f9d001d9b8b0b4781793d64753bce726ea54262d8f8a63928cd792b5168e5
                                                                                                              • Instruction Fuzzy Hash: 6CB13E7490424DAFCF11DFA5C981ADEBBB9FF49304F5081AAE808B3251D7789A46CF58
                                                                                                              Function 00454FFC Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,00455218,00455218,00000031,00455218,00000000), ref: 004551A6
                                                                                                              • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,00455218,00455218,00000031,00455218), ref: 004551B3
                                                                                                                • Part of subcall function 00454F68: WaitForInputIdle.USER32(00000001,00000032), ref: 00454F94
                                                                                                                • Part of subcall function 00454F68: MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00454FB6
                                                                                                                • Part of subcall function 00454F68: GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00454FC5
                                                                                                                • Part of subcall function 00454F68: CloseHandle.KERNEL32(00000001,00454FF2,00454FEB,?,00000031,00000080,00000000,?,?,0045534B,00000080,0000003C,00000000,00455361), ref: 00454FE5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                                              • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                                              • API String ID: 854858120-615399546
                                                                                                              • Opcode ID: 2fd3dae9d75497d44160d5c5904f03d0a65dfeb3736f9e9635dbb4a286748838
                                                                                                              • Instruction ID: 314af404618b4f06b129018ed763823481dfe4f790e250d6c958622b2bfe97d6
                                                                                                              • Opcode Fuzzy Hash: 2fd3dae9d75497d44160d5c5904f03d0a65dfeb3736f9e9635dbb4a286748838
                                                                                                              • Instruction Fuzzy Hash: 12515A30A0074DABDB11EF95C892BEEBBB9AF44705F50407BB804B7282D7785A49CB59
                                                                                                              Function 0042369C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                                                              • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                                                              • OemToCharA.USER32(?,?), ref: 0042376C
                                                                                                              • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Char$FileIconLoadLowerModuleName
                                                                                                              • String ID: 2$MAINICON
                                                                                                              • API String ID: 3935243913-3181700818
                                                                                                              • Opcode ID: 751299a27fb29773dc730031d78ffe09a982dc500c90bea8db2431fb333e9452
                                                                                                              • Instruction ID: fd9f9c5161a85cdd37c149357dc6ae372d2e201a3957992c444bec056041847b
                                                                                                              • Opcode Fuzzy Hash: 751299a27fb29773dc730031d78ffe09a982dc500c90bea8db2431fb333e9452
                                                                                                              • Instruction Fuzzy Hash: 89319270A042549ADF14EF2998857C67BE8AF14308F4441BAE844DB393D7BED988CB99
                                                                                                              Function 00418F48 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F4D
                                                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F6E
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00418F89
                                                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00418FAA
                                                                                                                • Part of subcall function 004230D8: 73EAA570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
                                                                                                                • Part of subcall function 004230D8: EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                                                                • Part of subcall function 004230D8: 73EB4620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
                                                                                                                • Part of subcall function 004230D8: 73EAA480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154
                                                                                                                • Part of subcall function 0042369C: LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                                                                • Part of subcall function 0042369C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                                                                • Part of subcall function 0042369C: OemToCharA.USER32(?,?), ref: 0042376C
                                                                                                                • Part of subcall function 0042369C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                                                                • Part of subcall function 0041F128: GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                                                                • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                                                                • Part of subcall function 0041F128: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                                                                • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A480A570B4620EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                                                                                              • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                                              • API String ID: 4055152562-2767913252
                                                                                                              • Opcode ID: cfc1acdfd4e85ff2d131a9f4d40f785a7290ab9aa4a67b06bd919a79267a8431
                                                                                                              • Instruction ID: 147b0fd3ac44816fa50e213e98ef70cab9cb63b371fef283777c7ccc396f8742
                                                                                                              • Opcode Fuzzy Hash: cfc1acdfd4e85ff2d131a9f4d40f785a7290ab9aa4a67b06bd919a79267a8431
                                                                                                              • Instruction Fuzzy Hash: BB112EB06142409AC740FF76A94265A7BE1DB64318F40843FF448EB2D1DB7D99448B5F
                                                                                                              Function 0041364C Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetWindowLongA.USER32(?,000000FC,?), ref: 00413674
                                                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0041367F
                                                                                                              • GetWindowLongA.USER32(?,000000F4), ref: 00413691
                                                                                                              • SetWindowLongA.USER32(?,000000F4,?), ref: 004136A4
                                                                                                              • SetPropA.USER32(?,00000000,00000000), ref: 004136BB
                                                                                                              • SetPropA.USER32(?,00000000,00000000), ref: 004136D2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LongWindow$Prop
                                                                                                              • String ID:
                                                                                                              • API String ID: 3887896539-0
                                                                                                              • Opcode ID: 45c1895276da90ba0030b8fba909c80b6c0b360e03c75fbe878fc1f19dddecee
                                                                                                              • Instruction ID: 955d73ee8c9e489f8eb805393a0cdbf9fe7b6d9765079e051d97cf620cdedb95
                                                                                                              • Opcode Fuzzy Hash: 45c1895276da90ba0030b8fba909c80b6c0b360e03c75fbe878fc1f19dddecee
                                                                                                              • Instruction Fuzzy Hash: D811C975500248BFDB00DF9DDC84EDA3BE8EB19364F144666B918DB2A1D738DD908BA8
                                                                                                              Function 004556C4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045585B,?,00000000,0045589B), ref: 004557A1
                                                                                                              Strings
                                                                                                              • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455724
                                                                                                              • WININIT.INI, xrefs: 004557D0
                                                                                                              • PendingFileRenameOperations2, xrefs: 00455770
                                                                                                              • PendingFileRenameOperations, xrefs: 00455740
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen
                                                                                                              • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                                              • API String ID: 47109696-2199428270
                                                                                                              • Opcode ID: e596244eac119ca3746a9610a602a7bde82fbf058035d963e90b8d4b6900848c
                                                                                                              • Instruction ID: 5ff55985f0d79b0cf99ef6a0ef0ae12f56fe6c83aec1de8438bfb9543cdeefde
                                                                                                              • Opcode Fuzzy Hash: e596244eac119ca3746a9610a602a7bde82fbf058035d963e90b8d4b6900848c
                                                                                                              • Instruction Fuzzy Hash: BB519670E006089FDB10FF61DC51AEEB7B9EF45305F50857BE804A7292DB7CAA49CA58
                                                                                                              Function 00423A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                                                              • GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                                                              • SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$EnumLongWindows
                                                                                                              • String ID: lAB
                                                                                                              • API String ID: 4191631535-3476862382
                                                                                                              • Opcode ID: 5f05c18b5ef50282e2e62587cef3ede3e0bfa46b8e8bdba155623c697b582535
                                                                                                              • Instruction ID: 20c146af1fa2ebf8fe73d6cd857ce812a249192cdefe4c29475ac4fba41381ea
                                                                                                              • Opcode Fuzzy Hash: 5f05c18b5ef50282e2e62587cef3ede3e0bfa46b8e8bdba155623c697b582535
                                                                                                              • Instruction Fuzzy Hash: 4E115E70700610ABDB109F28DD85F6A77E8EB04725F50026AF9A49B2E7C378ED40CB59
                                                                                                              Function 0042DE54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE60
                                                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFFB,00000000,0042E013,?,?,?,?,00000006,?,00000000,0049722D), ref: 0042DE7B
                                                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE81
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressDeleteHandleModuleProc
                                                                                                              • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                                              • API String ID: 588496660-1846899949
                                                                                                              • Opcode ID: 1efadd4f9f0c0ea65d6d931b2dfdd832bea74e7cc2ac9dff72f3f3dd5b00937e
                                                                                                              • Instruction ID: 51feda2b41882886fdb541a0ee71ee95ad591444612597d61ea777cd3c773b46
                                                                                                              • Opcode Fuzzy Hash: 1efadd4f9f0c0ea65d6d931b2dfdd832bea74e7cc2ac9dff72f3f3dd5b00937e
                                                                                                              • Instruction Fuzzy Hash: 3EE06DB1B41B30AAD72032A57C8AB932629DB75326F658537F005AE1D183FC2C50CE9D
                                                                                                              Function 0046BE48 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 276COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • PrepareToInstall failed: %s, xrefs: 0046C14B
                                                                                                              • NextButtonClick, xrefs: 0046BF84
                                                                                                              • Need to restart Windows? %s, xrefs: 0046C172
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                                              • API String ID: 0-2329492092
                                                                                                              • Opcode ID: 221dd23b7cfc17f66ca7de120067e16c15a7d044e53f2a8722f04dc11adac0dc
                                                                                                              • Instruction ID: 1202268df95ceb0eead913a0caf14b6b564ec17a2e6689a58d7256d675820d07
                                                                                                              • Opcode Fuzzy Hash: 221dd23b7cfc17f66ca7de120067e16c15a7d044e53f2a8722f04dc11adac0dc
                                                                                                              • Instruction Fuzzy Hash: 64C16D34A04208DFCB00DB98C9D5AEE77B5EF05304F1444B7E840AB362D778AE41DBAA
                                                                                                              Function 00482B0C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 224COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetActiveWindow.USER32(?,?,00000000,00482E54), ref: 00482C30
                                                                                                              • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00482CC5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ActiveChangeNotifyWindow
                                                                                                              • String ID: $Need to restart Windows? %s
                                                                                                              • API String ID: 1160245247-4200181552
                                                                                                              • Opcode ID: 42b6435f46a46e58fbbfcf74279f1aaa99ef9f12c59d4801a02600e2121285e9
                                                                                                              • Instruction ID: 8ca071c16d970d9f92bb59f1fa37784b4b8a51c549d6f2244aaf7164950ab745
                                                                                                              • Opcode Fuzzy Hash: 42b6435f46a46e58fbbfcf74279f1aaa99ef9f12c59d4801a02600e2121285e9
                                                                                                              • Instruction Fuzzy Hash: 2191B4346042458FDB10EB69D9C5BAD77F4AF59308F0084BBE8009B3A2CBB8AD05CB5D
                                                                                                              Function 0046FD84 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838
                                                                                                              • GetLastError.KERNEL32(00000000,0046FF81,?,?,0049C1D0,00000000), ref: 0046FE5E
                                                                                                              • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FED8
                                                                                                              • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FEFD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                                              • String ID: Creating directory: %s
                                                                                                              • API String ID: 2451617938-483064649
                                                                                                              • Opcode ID: 1f02ae1e850569658feceaaf3c85ff1782ed1f35d471b3de261e4d8f3d8ed172
                                                                                                              • Instruction ID: bdf8a9d00633064e3922ce557b3b2562df44373322d6b4000fae74d311730630
                                                                                                              • Opcode Fuzzy Hash: 1f02ae1e850569658feceaaf3c85ff1782ed1f35d471b3de261e4d8f3d8ed172
                                                                                                              • Instruction Fuzzy Hash: AE513F74A00248ABDB04DFA5D582BDEB7F5AF09304F50817BE850B7382D7786E08CB69
                                                                                                              Function 00454DC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E6E
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F34), ref: 00454ED8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressByteCharMultiProcWide
                                                                                                              • String ID: SfcIsFileProtected$sfc.dll
                                                                                                              • API String ID: 2508298434-591603554
                                                                                                              • Opcode ID: 6a91046d7309a4de6cfc4beec76e0de6ac9bbff88298f3f0baf31012854e5b94
                                                                                                              • Instruction ID: 1a17c74f1ac94ad93f17d87dc1e08c5ddb540f3824a5df31749c88666692504e
                                                                                                              • Opcode Fuzzy Hash: 6a91046d7309a4de6cfc4beec76e0de6ac9bbff88298f3f0baf31012854e5b94
                                                                                                              • Instruction Fuzzy Hash: 6A41A630A042189BEB10DB69DC85B9D77B8AB4430DF5081B7E908A7293D7785F88CF59
                                                                                                              Function 0044B39C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • 73EAA570.USER32(00000000,?,00000000,00000000,0044B49D,?,k H,?,?), ref: 0044B411
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0044B434
                                                                                                              • 73EAA480.USER32(00000000,?,0044B474,00000000,0044B46D,?,00000000,?,00000000,00000000,0044B49D,?,k H,?,?), ref: 0044B467
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: A480A570ObjectSelect
                                                                                                              • String ID: k H
                                                                                                              • API String ID: 1230475511-1447039187
                                                                                                              • Opcode ID: d4c138e2771e5465782f1838dde397b15c475f1a6013829dedf10027ea17c150
                                                                                                              • Instruction ID: b5872ed9d16ca79c431bae9e7544c15e8f802733be01f045b529408bc148fe47
                                                                                                              • Opcode Fuzzy Hash: d4c138e2771e5465782f1838dde397b15c475f1a6013829dedf10027ea17c150
                                                                                                              • Instruction Fuzzy Hash: 6D217470A04248AFEB15DFA5C851B9EBBB9EB49304F51807AF504E7282D77CD940CB69
                                                                                                              Function 0044B0D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B15C,?,k H,?,?), ref: 0044B12E
                                                                                                              • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B141
                                                                                                              • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B175
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DrawText$ByteCharMultiWide
                                                                                                              • String ID: k H
                                                                                                              • API String ID: 65125430-1447039187
                                                                                                              • Opcode ID: 9eee4d412d6110b2587a1d6710a95c773ea7c34e3a7d98a27860af6b4704048a
                                                                                                              • Instruction ID: 2dd5a1fcad8022b5ecdd36c3e8438632fadfe976456551c737a9f8dd3ea145e1
                                                                                                              • Opcode Fuzzy Hash: 9eee4d412d6110b2587a1d6710a95c773ea7c34e3a7d98a27860af6b4704048a
                                                                                                              • Instruction Fuzzy Hash: A3110BB6700604BFE700DB5A9C91D6F77ECD749750F10413BF504D72D0C6389E018668
                                                                                                              Function 0042ED48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDD5
                                                                                                                • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                                                • Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                                                • Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                                              • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDB8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                                              • String ID: SHAutoComplete$shlwapi.dll
                                                                                                              • API String ID: 395431579-1506664499
                                                                                                              • Opcode ID: 0d90ae9549cb3a794f747e0b3b89476a1a48bf8a1e7f9d56d35495b62d60795c
                                                                                                              • Instruction ID: a33720f3aac7210c00664dabe11b621525643aa7ae94b1405928deeb439ddd4e
                                                                                                              • Opcode Fuzzy Hash: 0d90ae9549cb3a794f747e0b3b89476a1a48bf8a1e7f9d56d35495b62d60795c
                                                                                                              • Instruction Fuzzy Hash: 1611A331B00318BBDB11EB62ED81B8E7BA8DB55704F90407BF400A6691DBB8AE05C65D
                                                                                                              Function 004559FC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegCloseKey.ADVAPI32(?,00455A67,?,00000001,00000000), ref: 00455A5A
                                                                                                              Strings
                                                                                                              • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A08
                                                                                                              • PendingFileRenameOperations2, xrefs: 00455A3B
                                                                                                              • PendingFileRenameOperations, xrefs: 00455A2C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen
                                                                                                              • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                                              • API String ID: 47109696-2115312317
                                                                                                              • Opcode ID: a871c7690d9b103e0f7f2022bbb7230101daa82acd14c33f99511ba30d6e5aa6
                                                                                                              • Instruction ID: a84b10804161a04e9b7828e63518c67389a2277fb2d5ef6d9c2d81c30e1ce2e0
                                                                                                              • Opcode Fuzzy Hash: a871c7690d9b103e0f7f2022bbb7230101daa82acd14c33f99511ba30d6e5aa6
                                                                                                              • Instruction Fuzzy Hash: 49F09671714A04BFEB05D665DC72E3A739CD744B15FA1446BF800C6682DA7DBE04951C
                                                                                                              Function 0047F804 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D,?,?,00000000), ref: 0047F8AA
                                                                                                              • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D,?,?), ref: 0047F8B7
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0047F9D0,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D), ref: 0047F9AC
                                                                                                              • FindClose.KERNEL32(000000FF,0047F9D7,0047F9D0,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D,?), ref: 0047F9CA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$CloseFileNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 2066263336-0
                                                                                                              • Opcode ID: dd47ce488d5ea13da555b7d1a4745cf9b199e366fd9c8806cfe2b69594f7a430
                                                                                                              • Instruction ID: d4c1b09f85a1e3ce5f066f5119f691750f955bf6e0a6470712ab8dbd39f482a6
                                                                                                              • Opcode Fuzzy Hash: dd47ce488d5ea13da555b7d1a4745cf9b199e366fd9c8806cfe2b69594f7a430
                                                                                                              • Instruction Fuzzy Hash: 80513E71A00648AFCB10EF65CC45ADEB7B8AB88315F1085BAA818E7351D7389F49CF59
                                                                                                              Function 00421284 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetMenu.USER32(00000000), ref: 00421371
                                                                                                              • SetMenu.USER32(00000000,00000000), ref: 0042138E
                                                                                                              • SetMenu.USER32(00000000,00000000), ref: 004213C3
                                                                                                              • SetMenu.USER32(00000000,00000000), ref: 004213DF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu
                                                                                                              • String ID:
                                                                                                              • API String ID: 3711407533-0
                                                                                                              • Opcode ID: fcb1d01c21a3638414a8535da0e373d0dc57cc6d33ffad44a18b700e1522ce17
                                                                                                              • Instruction ID: 7918b5ac66a49b7c70f092078a7f06842b1ce09055eaa5e04548cec6233339c2
                                                                                                              • Opcode Fuzzy Hash: fcb1d01c21a3638414a8535da0e373d0dc57cc6d33ffad44a18b700e1522ce17
                                                                                                              • Instruction Fuzzy Hash: 7D41A13070025447EB20EA79A9857AB26969F69318F4805BFFC44DF3A3CA7DDC45839D
                                                                                                              Function 00416B52 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(?,?,?,?), ref: 00416B94
                                                                                                              • SetTextColor.GDI32(?,00000000), ref: 00416BAE
                                                                                                              • SetBkColor.GDI32(?,00000000), ref: 00416BC8
                                                                                                              • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BF0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Color$CallMessageProcSendTextWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 601730667-0
                                                                                                              • Opcode ID: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                                                              • Instruction ID: 7a78515b3e46194db8101330e18da160614de8b80347fcfd5663145ee8fb6c7e
                                                                                                              • Opcode Fuzzy Hash: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                                                              • Instruction Fuzzy Hash: 27115EB6600A04AFC710EE6ECC84E8773ECDF48314715883EB59ADB612D638F8418B69
                                                                                                              Function 004230D8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • 73EAA570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
                                                                                                              • EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                                                              • 73EB4620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
                                                                                                              • 73EAA480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: A480A570B4620EnumFonts
                                                                                                              • String ID:
                                                                                                              • API String ID: 439372008-0
                                                                                                              • Opcode ID: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
                                                                                                              • Instruction ID: 16e9332b6476af0d686f12fa818e5571f82757a24bc5219822a197079b30e1ec
                                                                                                              • Opcode Fuzzy Hash: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
                                                                                                              • Instruction Fuzzy Hash: D80192717447106AE710BF7A5C86B9B36649F04719F40427BF804AF2C7D6BE9C05476E
                                                                                                              Function 0045C5C8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00450918: SetEndOfFile.KERNEL32(?,?,0045C6A6,00000000,0045C831,?,00000000,00000002,00000002), ref: 0045091F
                                                                                                              • FlushFileBuffers.KERNEL32(?), ref: 0045C7FD
                                                                                                              Strings
                                                                                                              • NumRecs range exceeded, xrefs: 0045C6FA
                                                                                                              • EndOffset range exceeded, xrefs: 0045C731
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$BuffersFlush
                                                                                                              • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                                              • API String ID: 3593489403-659731555
                                                                                                              • Opcode ID: 794c48d8177613dd3f63bd91f05815d926f9d199b7ec90082a892dce85f7227f
                                                                                                              • Instruction ID: 42c6ccb15965a4bc01c0ab80d29458e35b3cecf9486565f2d0e9c4cbdba5a9bf
                                                                                                              • Opcode Fuzzy Hash: 794c48d8177613dd3f63bd91f05815d926f9d199b7ec90082a892dce85f7227f
                                                                                                              • Instruction Fuzzy Hash: A5617134A002988FDB24DF25C891AD9B7B5EF49305F0084DAED89AB352D774AEC9CF54
                                                                                                              Function 00498578 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498586), ref: 0040334B
                                                                                                                • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498586), ref: 00403356
                                                                                                                • Part of subcall function 00406334: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498590), ref: 0040633A
                                                                                                                • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
                                                                                                                • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
                                                                                                                • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
                                                                                                                • Part of subcall function 00406334: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498590), ref: 0040637E
                                                                                                                • Part of subcall function 00409B88: 6F981CD0.COMCTL32(0049859A), ref: 00409B88
                                                                                                                • Part of subcall function 00410964: GetCurrentThreadId.KERNEL32 ref: 004109B2
                                                                                                                • Part of subcall function 00419050: GetVersion.KERNEL32(004985AE), ref: 00419050
                                                                                                                • Part of subcall function 0044F754: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004985C2), ref: 0044F78F
                                                                                                                • Part of subcall function 0044F754: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F795
                                                                                                                • Part of subcall function 0044FBFC: GetVersionExA.KERNEL32(0049B790,004985C7), ref: 0044FC0B
                                                                                                                • Part of subcall function 004531DC: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 004531FC
                                                                                                                • Part of subcall function 004531DC: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453202
                                                                                                                • Part of subcall function 004531DC: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 00453216
                                                                                                                • Part of subcall function 004531DC: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045321C
                                                                                                                • Part of subcall function 00456EEC: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456F10
                                                                                                                • Part of subcall function 00464960: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004985EA), ref: 0046496F
                                                                                                                • Part of subcall function 00464960: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464975
                                                                                                                • Part of subcall function 0046D098: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046D0AD
                                                                                                                • Part of subcall function 00478B3C: GetModuleHandleA.KERNEL32(kernel32.dll,?,004985F4), ref: 00478B42
                                                                                                                • Part of subcall function 00478B3C: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478B4F
                                                                                                                • Part of subcall function 00478B3C: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478B5F
                                                                                                                • Part of subcall function 00495584: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0049559D
                                                                                                              • SetErrorMode.KERNEL32(00000001,00000000,0049863C), ref: 0049860E
                                                                                                                • Part of subcall function 00498338: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498618,00000001,00000000,0049863C), ref: 00498342
                                                                                                                • Part of subcall function 00498338: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498348
                                                                                                                • Part of subcall function 004244E4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424503
                                                                                                                • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                                              • ShowWindow.USER32(?,00000005,00000000,0049863C), ref: 0049866F
                                                                                                                • Part of subcall function 00482050: SetActiveWindow.USER32(?), ref: 004820FE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF981FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                                              • String ID: Setup
                                                                                                              • API String ID: 3614477821-3839654196
                                                                                                              • Opcode ID: 0b193bc7ab6d0367c14efa4071f6efbf19235d44a4c70119fe87f529ba434d3c
                                                                                                              • Instruction ID: d131c851e578025af209eb9e9c2d0e6aaf1cfb04eb4cc82699b843ce611002a7
                                                                                                              • Opcode Fuzzy Hash: 0b193bc7ab6d0367c14efa4071f6efbf19235d44a4c70119fe87f529ba434d3c
                                                                                                              • Instruction Fuzzy Hash: 5C31D4702046409ED601BBBBED5352E3B98EB8A718B61487FF804D6553CE3D6C148A3E
                                                                                                              Function 00453A10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453AFF,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A56
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453AFF,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A5F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                                              • String ID: .tmp
                                                                                                              • API String ID: 1375471231-2986845003
                                                                                                              • Opcode ID: 3cb25ddd520bb7346a311bd12df13eef30655657fdbd9206c6de24d758997ec8
                                                                                                              • Instruction ID: fcbeb811eea92760dd82faa40bdacdd366465f8a5342b7af386d3ee3900427bd
                                                                                                              • Opcode Fuzzy Hash: 3cb25ddd520bb7346a311bd12df13eef30655657fdbd9206c6de24d758997ec8
                                                                                                              • Instruction Fuzzy Hash: 5A213375A00208ABDB01EFA1C8429DEB7B9EB48305F50457BE801B7342DA789F058AA5
                                                                                                              Function 0047C310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C596,00000000,0047C5AC,?,?,?,?,00000000), ref: 0047C372
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close
                                                                                                              • String ID: RegisteredOrganization$RegisteredOwner
                                                                                                              • API String ID: 3535843008-1113070880
                                                                                                              • Opcode ID: 3cef9cafc9ae7832fbb6eaa2bd4d40f0f71bbb09bcea78efdfdb807f20eb42b3
                                                                                                              • Instruction ID: cd6b81515cbcb541a42d20c803a6709c30f964b406f28b15d8fe69fce277d2ff
                                                                                                              • Opcode Fuzzy Hash: 3cef9cafc9ae7832fbb6eaa2bd4d40f0f71bbb09bcea78efdfdb807f20eb42b3
                                                                                                              • Instruction Fuzzy Hash: 41F09030704204ABEB00D669ECD2BAA33A99746304F60C03FA9088B392D6799E01CB5C
                                                                                                              Function 004754BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004756F3), ref: 004754E1
                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004756F3), ref: 004754F8
                                                                                                                • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateErrorFileHandleLast
                                                                                                              • String ID: CreateFile
                                                                                                              • API String ID: 2528220319-823142352
                                                                                                              • Opcode ID: fa36eb7f5e292efbad873286b983b31a245b5f10299435e2a562660d120c4ecb
                                                                                                              • Instruction ID: 40e201e46ebb19b1d9bf90fbf766f72b309683208074062896c4944ddf319cda
                                                                                                              • Opcode Fuzzy Hash: fa36eb7f5e292efbad873286b983b31a245b5f10299435e2a562660d120c4ecb
                                                                                                              • Instruction Fuzzy Hash: CDE065702403447FDA10F769CCC6F4577889B14729F10C155B5446F3D2C5B9EC408628
                                                                                                              Function 0042DE2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Open
                                                                                                              • String ID: System\CurrentControlSet\Control\Windows$c6H
                                                                                                              • API String ID: 71445658-1548894351
                                                                                                              • Opcode ID: 532c08fc3a5ebe879a42036bede715a90f251433598981f36561c2967c82051c
                                                                                                              • Instruction ID: b14c86e398362f8621ba381b59967aff518ca924b2daa5b46ce173f8349262a2
                                                                                                              • Opcode Fuzzy Hash: 532c08fc3a5ebe879a42036bede715a90f251433598981f36561c2967c82051c
                                                                                                              • Instruction Fuzzy Hash: BFD0C772950128BBDB00DA89DC41DFB775DDB15760F45441BFD049B141C1B4EC5197F8
                                                                                                              Function 00456EEC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00456E7C: CoInitialize.OLE32(00000000), ref: 00456E82
                                                                                                                • Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                                                • Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                                              • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456F10
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                                              • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                                              • API String ID: 2906209438-2320870614
                                                                                                              • Opcode ID: 22a7af04fdfb7e1cbc8590484576be710a33bf4538556d1874791685a96bf942
                                                                                                              • Instruction ID: 6d1f0b9ea2f83cf17b9d56af39d37ffc4890966232cc80b75afa5f9be50b51f8
                                                                                                              • Opcode Fuzzy Hash: 22a7af04fdfb7e1cbc8590484576be710a33bf4538556d1874791685a96bf942
                                                                                                              • Instruction Fuzzy Hash: 97C04CA1B4169096CB00B7FAA54361F2414DB5075FB96C07FBD40BB687CE7D8848AA2E
                                                                                                              Function 0046D098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                                                • Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                                              • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046D0AD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressErrorLibraryLoadModeProc
                                                                                                              • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                              • API String ID: 2492108670-2683653824
                                                                                                              • Opcode ID: 4bfb7ae62aec4cae49a8b0683f2b36ac3bef8159a448d5ae1ca26c94081968f3
                                                                                                              • Instruction ID: 608de25eae135e4754017d8cf95b07e3007941af04aa8fd5541e4ba3120ba520
                                                                                                              • Opcode Fuzzy Hash: 4bfb7ae62aec4cae49a8b0683f2b36ac3bef8159a448d5ae1ca26c94081968f3
                                                                                                              • Instruction Fuzzy Hash: 69B092E0F056008ACF00A7F6984260A10059B8071DF90807B7440BB395EA3E840AAB6F
                                                                                                              Function 0044853C Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448719), ref: 0044865C
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486DD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                              • String ID:
                                                                                                              • API String ID: 2574300362-0
                                                                                                              • Opcode ID: 9e6f6b39164a2250cf52a4aeb4930d02d61dfc433358958cd5631fa5a9f36d71
                                                                                                              • Instruction ID: bcb50df029510264ac3c8269deb9aca16d778d72fab4f9fb4f479d94b6d7f3fe
                                                                                                              • Opcode Fuzzy Hash: 9e6f6b39164a2250cf52a4aeb4930d02d61dfc433358958cd5631fa5a9f36d71
                                                                                                              • Instruction Fuzzy Hash: 09514170A00105AFDB40EFA5C491A9EBBF9EB54315F11817EA414BB392DA389E05CB99
                                                                                                              Function 00481704 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemMenu.USER32(00000000,00000000,00000000,0048183C), ref: 004817D4
                                                                                                              • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 004817E5
                                                                                                              • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 004817FD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$Append$System
                                                                                                              • String ID:
                                                                                                              • API String ID: 1489644407-0
                                                                                                              • Opcode ID: 700b5811d02ba2ff172c742152fb081413fabfeab2321fa183ac7a2ab913d185
                                                                                                              • Instruction ID: b36482c1273671328963914ac1a7ecaae55131090c894365c145815d0470a156
                                                                                                              • Opcode Fuzzy Hash: 700b5811d02ba2ff172c742152fb081413fabfeab2321fa183ac7a2ab913d185
                                                                                                              • Instruction Fuzzy Hash: 02318E307043445AD721FB359D82BAE3A989B15318F54593FB900AA3E3CA7C9C4A87AD
                                                                                                              Function 004524FC Relevance: 4.6, APIs: 3, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • 751D1520.VERSION(00000000,?,?,?,004972D0), ref: 0045251C
                                                                                                              • 751D1500.VERSION(00000000,?,00000000,?,00000000,00452597,?,00000000,?,?,?,004972D0), ref: 00452549
                                                                                                              • 751D1540.VERSION(?,004525C0,?,?,00000000,?,00000000,?,00000000,00452597,?,00000000,?,?,?,004972D0), ref: 00452563
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: D1500D1520D1540
                                                                                                              • String ID:
                                                                                                              • API String ID: 2241823734-0
                                                                                                              • Opcode ID: 386d1b7d14527d93b72562f1672999fd2f5aa3ff7ed0da5cad2ac492ae89063e
                                                                                                              • Instruction ID: b47a7e64509d5cca070909842564d4f4e78a1d1ae8fea26b0cdd83eea50adb12
                                                                                                              • Opcode Fuzzy Hash: 386d1b7d14527d93b72562f1672999fd2f5aa3ff7ed0da5cad2ac492ae89063e
                                                                                                              • Instruction Fuzzy Hash: 6B218371A00148AFDB01DAA989519AFB7FCEB4A300F55447BFC00E3342E6B99E04CB65
                                                                                                              Function 0042440C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424422
                                                                                                              • TranslateMessage.USER32(?), ref: 0042449F
                                                                                                              • DispatchMessageA.USER32(?), ref: 004244A9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message$DispatchPeekTranslate
                                                                                                              • String ID:
                                                                                                              • API String ID: 4217535847-0
                                                                                                              • Opcode ID: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                                                              • Instruction ID: 520fb342982be2dd3794930026bb259c1cd38a4fe19eb968f01b3c53081bdda3
                                                                                                              • Opcode Fuzzy Hash: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                                                              • Instruction Fuzzy Hash: 781191307043205AEE20FA64AD41B9B73D4DFD1708F80481EF9D997382D77D9E49879A
                                                                                                              Function 00416654 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetPropA.USER32(00000000,00000000), ref: 0041667A
                                                                                                              • SetPropA.USER32(00000000,00000000), ref: 0041668F
                                                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166B6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Prop$Window
                                                                                                              • String ID:
                                                                                                              • API String ID: 3363284559-0
                                                                                                              • Opcode ID: c3da473eafe02ab8e789e0609dcd6af1eaad0cb973784c7fd29191cc4dc7f6ad
                                                                                                              • Instruction ID: 2262f6f032fbfc8c948eb6af5e1566575da4c35a9ecfa624f63ddadf83d7b404
                                                                                                              • Opcode Fuzzy Hash: c3da473eafe02ab8e789e0609dcd6af1eaad0cb973784c7fd29191cc4dc7f6ad
                                                                                                              • Instruction Fuzzy Hash: E3F0B271701210ABD710AB599C85FA632DCAB09719F160176BD09EF286C778DC40C7A8
                                                                                                              Function 0041EE64 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsWindowVisible.USER32(?), ref: 0041EE74
                                                                                                              • IsWindowEnabled.USER32(?), ref: 0041EE7E
                                                                                                              • EnableWindow.USER32(?,00000000), ref: 0041EEA4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$EnableEnabledVisible
                                                                                                              • String ID:
                                                                                                              • API String ID: 3234591441-0
                                                                                                              • Opcode ID: 8d68ea6b8e39d06ec6ae2b778d87487b924e250a5b1b44c5d2ba2f9a93d60018
                                                                                                              • Instruction ID: eab114e884733e02e348d5fb54c1eeaedaab2d2a8f53f62e6f3f1b5b82b3488b
                                                                                                              • Opcode Fuzzy Hash: 8d68ea6b8e39d06ec6ae2b778d87487b924e250a5b1b44c5d2ba2f9a93d60018
                                                                                                              • Instruction Fuzzy Hash: 90E0EDB9100300AAE711AB2BEC81A57769CBB94314F45843BAC099B293DA3EDC409B78
                                                                                                              Function 0046A26C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetActiveWindow.USER32(?), ref: 0046A378
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ActiveWindow
                                                                                                              • String ID: PrepareToInstall
                                                                                                              • API String ID: 2558294473-1101760603
                                                                                                              • Opcode ID: 2f09c314b6fb54b1472f2c84d4998d1c671ccdc982530a6e1a6c91392ff97de1
                                                                                                              • Instruction ID: 163d609461ff3b9580316b21a780dec1cd9204125e937a74b025edb926540d27
                                                                                                              • Opcode Fuzzy Hash: 2f09c314b6fb54b1472f2c84d4998d1c671ccdc982530a6e1a6c91392ff97de1
                                                                                                              • Instruction Fuzzy Hash: 90A10A34A00109DFCB00EB99D985EEEB7F5AF88304F1580B6E404AB362D738AE45DF59
                                                                                                              Function 0046C764 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: /:*?"<>|
                                                                                                              • API String ID: 0-4078764451
                                                                                                              • Opcode ID: daa5e4ec58dfd3a4f8b67407405db92af73f638a584e66193a323fc2660a566c
                                                                                                              • Instruction ID: b706238f5af82f8a54f925a22e06db4ee79b372672e861a4edd763b161806009
                                                                                                              • Opcode Fuzzy Hash: daa5e4ec58dfd3a4f8b67407405db92af73f638a584e66193a323fc2660a566c
                                                                                                              • Instruction Fuzzy Hash: 6F7197B0B44244AADB20E766DCC2BEE77A19F41704F108167F5807B392E7B99D45878E
                                                                                                              Function 00482050 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetActiveWindow.USER32(?), ref: 004820FE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ActiveWindow
                                                                                                              • String ID: InitializeWizard
                                                                                                              • API String ID: 2558294473-2356795471
                                                                                                              • Opcode ID: 4cb1695e49b1b07e3586b425a713be07569947560fbf0fba233168fdeef3d44e
                                                                                                              • Instruction ID: b8891c381381d1a0014b65a4ce29d1dfbbdf9d421e77ac889de6892087eb3363
                                                                                                              • Opcode Fuzzy Hash: 4cb1695e49b1b07e3586b425a713be07569947560fbf0fba233168fdeef3d44e
                                                                                                              • Instruction Fuzzy Hash: BE118234205204DFD711EBA5FE96B2977E4EB55314F20143BE5008B3A1DA796C50CB6D
                                                                                                              Function 0047C22C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C472,00000000,0047C5AC), ref: 0047C271
                                                                                                              Strings
                                                                                                              • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C241
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen
                                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                                              • API String ID: 47109696-1019749484
                                                                                                              • Opcode ID: 6e2d5090e95b4c6fabdd9168d7cad944b3593745ae6ad0b3bb6d2af319e0c910
                                                                                                              • Instruction ID: 70811ca8e083c9a3dbfae153db117623eb743e792d78c4ccda021ebaf15ccddc
                                                                                                              • Opcode Fuzzy Hash: 6e2d5090e95b4c6fabdd9168d7cad944b3593745ae6ad0b3bb6d2af319e0c910
                                                                                                              • Instruction Fuzzy Hash: 8EF08931B0411467DA00A5DA5C82B9E56DD8B55758F20407FF508EB253D9B99D02036C
                                                                                                              Function 0046F0EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,004763FA,?,0049C1D0,?,0046F403,?,00000000,0046F99E,?,_is1), ref: 0046F10F
                                                                                                              Strings
                                                                                                              • Inno Setup: Setup Version, xrefs: 0046F10D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Value
                                                                                                              • String ID: Inno Setup: Setup Version
                                                                                                              • API String ID: 3702945584-4166306022
                                                                                                              • Opcode ID: 734ac0f1c1098741eb0e60cbf617dbc9041c5452899e61f021b18629f5aca0fc
                                                                                                              • Instruction ID: 253732d940e31991125f8b939195b5ca02eb4333684dc2ddbbcc15e62aa31341
                                                                                                              • Opcode Fuzzy Hash: 734ac0f1c1098741eb0e60cbf617dbc9041c5452899e61f021b18629f5aca0fc
                                                                                                              • Instruction Fuzzy Hash: 3BE06D713012047FD710AA6B9C85F5BBADDDF993A5F10403AB908DB392D578DD4081A8
                                                                                                              Function 0046F15C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F7DA,?,?,00000000,0046F99E,?,_is1,?), ref: 0046F16F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Value
                                                                                                              • String ID: NoModify
                                                                                                              • API String ID: 3702945584-1699962838
                                                                                                              • Opcode ID: 14b653d2795b3180ab09acf432715bdcca8a399851f75d04a8bb0bb30e96b91c
                                                                                                              • Instruction ID: dfbc78ba79a393f528aadc4bccb3a1e1d52346a2df28baf9fde3d1272b39f611
                                                                                                              • Opcode Fuzzy Hash: 14b653d2795b3180ab09acf432715bdcca8a399851f75d04a8bb0bb30e96b91c
                                                                                                              • Instruction Fuzzy Hash: D8E04FB4604304BFEB04DB55DD4AF6B77ECDB48750F10415ABA04DB281E674EE00C668
                                                                                                              Function 0047DF80 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetACP.KERNEL32(?,?,00000001,00000000,0047E25F,?,-0000001A,004800D8,-00000010,?,00000004,0000001B,00000000,00480425,?,0045DECC), ref: 0047DFF6
                                                                                                                • Part of subcall function 0042E32C: 73EAA570.USER32(00000000,00000000,0048048C,?,?,00000001,00000000,00000002,00000000,00480D8E,?,?,?,?,?,004986AB), ref: 0042E33B
                                                                                                                • Part of subcall function 0042E32C: EnumFontsA.GDI32(?,00000000,0042E318,00000000,00000000,0042E384,?,00000000,00000000,0048048C,?,?,00000001,00000000,00000002,00000000), ref: 0042E366
                                                                                                                • Part of subcall function 0042E32C: 73EAA480.USER32(00000000,?,0042E38B,00000000,00000000,0042E384,?,00000000,00000000,0048048C,?,?,00000001,00000000,00000002,00000000), ref: 0042E37E
                                                                                                              • SendNotifyMessageA.USER32(000103E8,00000496,00002711,-00000001), ref: 0047E1C6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: A480A570EnumFontsMessageNotifySend
                                                                                                              • String ID:
                                                                                                              • API String ID: 2685184028-0
                                                                                                              • Opcode ID: d5a98fd350b21412a22cf4123539bd0c298e95acb479fbe192b8033f652af546
                                                                                                              • Instruction ID: 0ea8e5e95b90053dcc80dc26f94e29a170662e2b3e10ca2db4d961c35622b213
                                                                                                              • Opcode Fuzzy Hash: d5a98fd350b21412a22cf4123539bd0c298e95acb479fbe192b8033f652af546
                                                                                                              • Instruction Fuzzy Hash: 2651A6746001508BD710FF27D9C16963799EB88308B90C6BBA8089F367C77CDD068B9D
                                                                                                              Function 0042DC10 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD48), ref: 0042DC4C
                                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD48), ref: 0042DCBC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: QueryValue
                                                                                                              • String ID:
                                                                                                              • API String ID: 3660427363-0
                                                                                                              • Opcode ID: dcaea444aa2693f3151e4f161b8541bd325653ac2cf38fab622dd52302d9ecee
                                                                                                              • Instruction ID: 0afc69acb925fd444515a6cbe8b6240f093bd173affdd4b5aabebdcedbe93bcc
                                                                                                              • Opcode Fuzzy Hash: dcaea444aa2693f3151e4f161b8541bd325653ac2cf38fab622dd52302d9ecee
                                                                                                              • Instruction Fuzzy Hash: E0414F71E00529ABDB11DF95D881BAFB7B8AB00714F90846AE800F7241D778AE00CBA9
                                                                                                              Function 0042DED0 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFE6,?,?,00000008,00000000,00000000,0042E013), ref: 0042DF7C
                                                                                                              • RegCloseKey.ADVAPI32(?,0042DFED,?,00000000,00000000,00000000,00000000,00000000,0042DFE6,?,?,00000008,00000000,00000000,0042E013), ref: 0042DFE0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseEnum
                                                                                                              • String ID:
                                                                                                              • API String ID: 2818636725-0
                                                                                                              • Opcode ID: 18687f4e18b3232f9437fac6e5314fb2332009eed5616211d6a140e10b5cd508
                                                                                                              • Instruction ID: 2fe76ac110d60e281b9c8dcd8425dafac1d5c60e45ccd2ae84570cbaedcb928d
                                                                                                              • Opcode Fuzzy Hash: 18687f4e18b3232f9437fac6e5314fb2332009eed5616211d6a140e10b5cd508
                                                                                                              • Instruction Fuzzy Hash: 52319170F04258AEDB11DFA2DD82BAEB7B9EB48304F91407BE501E7281D6785A01CA2D
                                                                                                              Function 004527D4 Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,?,?,004580B4,00000000,0045809C,?,?,?,00000000,0045284E,?,?,?,00000001), ref: 00452828
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,?,?,004580B4,00000000,0045809C,?,?,?,00000000,0045284E,?,?,?,00000001), ref: 00452830
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateErrorLastProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 2919029540-0
                                                                                                              • Opcode ID: 256024ef10b7bad05e9cca563efcf05eafb457725b2bcd1ab333216967b323f1
                                                                                                              • Instruction ID: 3ad6dec6d32dc5e6ab031f6e5884ad9a987dc2d9ff381773f4694f698bcb58b9
                                                                                                              • Opcode Fuzzy Hash: 256024ef10b7bad05e9cca563efcf05eafb457725b2bcd1ab333216967b323f1
                                                                                                              • Instruction Fuzzy Hash: D3117972600208AF8B00DEADDD41DABB7ECEB4E310B10456BFD08E3201D678AE148BA4
                                                                                                              Function 0040AFD8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AFF2
                                                                                                              • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B14F,00000000,0040B167,?,?,?,00000000), ref: 0040B003
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Resource$FindFree
                                                                                                              • String ID:
                                                                                                              • API String ID: 4097029671-0
                                                                                                              • Opcode ID: 020963cbed5d1efe29b5c6b0b84e3d8c20ff6c1b4cf1f3711bef16ed23147c41
                                                                                                              • Instruction ID: 22447e907da962d806d3eb032de74b702d5affa043e15eb070a4a3d902aeafed
                                                                                                              • Opcode Fuzzy Hash: 020963cbed5d1efe29b5c6b0b84e3d8c20ff6c1b4cf1f3711bef16ed23147c41
                                                                                                              • Instruction Fuzzy Hash: 0001DF71300604AFD710FF69DC92E1B77A9DB8A718711807AF500AB7D0DA79AC0096AD
                                                                                                              Function 0041EEB4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                                              • 73EB5940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042EEC0,?,00000001), ref: 0041EF09
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: B5940CurrentThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 1892714436-0
                                                                                                              • Opcode ID: 4f622a916fb84fb1e9f1f3e222a7611e51385d213cb7cd19795c9b5a33aefee2
                                                                                                              • Instruction ID: 3b2ca51acea6f31c20bceb620234c512699c69eae89bb1383ecfa3b3ac64bed2
                                                                                                              • Opcode Fuzzy Hash: 4f622a916fb84fb1e9f1f3e222a7611e51385d213cb7cd19795c9b5a33aefee2
                                                                                                              • Instruction Fuzzy Hash: FD013976A04604BFDB06CF6BDC1195ABBE9E789720B22887BEC04D36A0E6355810DE18
                                                                                                              Function 00452C6C Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CAE
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00452CD4), ref: 00452CB6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLastMove
                                                                                                              • String ID:
                                                                                                              • API String ID: 55378915-0
                                                                                                              • Opcode ID: 4a87794495b209091e638427933314290125c3fb15c22ae1653921e41cb98622
                                                                                                              • Instruction ID: 8cb4f6990e07c72a34a39c3d349ee9eec810a974928c7dd1f8c60ebce1e721cc
                                                                                                              • Opcode Fuzzy Hash: 4a87794495b209091e638427933314290125c3fb15c22ae1653921e41cb98622
                                                                                                              • Instruction Fuzzy Hash: D5014971B00204BB8B11DF799D414AEB7ECEB4A32531045BBFC08E3243EAB84E048558
                                                                                                              Function 0045275C Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527BB), ref: 00452795
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,004527BB), ref: 0045279D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 1375471231-0
                                                                                                              • Opcode ID: 638905229d0ae290751701005a3127306b10a627987a4e9871fe20b3b513e6c4
                                                                                                              • Instruction ID: 7517b5081c7c6af98826394809c6fe2d976c468da5ddf52a6f68070703836f12
                                                                                                              • Opcode Fuzzy Hash: 638905229d0ae290751701005a3127306b10a627987a4e9871fe20b3b513e6c4
                                                                                                              • Instruction Fuzzy Hash: 40F0FC71A04704AFCF00DF759D4199EB7E8DB0E715B5049B7FC14E3242E7B94E1485A8
                                                                                                              Function 0042324C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadCursorA.USER32(00000000,00007F00), ref: 00423259
                                                                                                              • LoadCursorA.USER32(00000000,00000000), ref: 00423283
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CursorLoad
                                                                                                              • String ID:
                                                                                                              • API String ID: 3238433803-0
                                                                                                              • Opcode ID: 57390d314a1cb7161e6ddc30cf2ec12f57c29d9a020bc84e90da4252d8f033e1
                                                                                                              • Instruction ID: c8375b04fab070422f53c3d6524130e38f027298e82d6ab835706982cf041ecc
                                                                                                              • Opcode Fuzzy Hash: 57390d314a1cb7161e6ddc30cf2ec12f57c29d9a020bc84e90da4252d8f033e1
                                                                                                              • Instruction Fuzzy Hash: 0FF0A711704114AADA105D7E6CC0E2B7268DB91B36B6103BBFA3AD72D1C62E1D41457D
                                                                                                              Function 0042E3A4 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                                              • LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLibraryLoadMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 2987862817-0
                                                                                                              • Opcode ID: 7795cc8daa252176d65de3d8f3118caac988bfa791d53a68a28aad838e50b78c
                                                                                                              • Instruction ID: 98bcbcc3e9aaf4c66058534b39987ccdd7eb12bd14468eaf88ad72af9e5505e3
                                                                                                              • Opcode Fuzzy Hash: 7795cc8daa252176d65de3d8f3118caac988bfa791d53a68a28aad838e50b78c
                                                                                                              • Instruction Fuzzy Hash: D5F05E70A14744BEDF119F779C6282ABAACE749B1179248B6F810A3691E67D48108928
                                                                                                              Function 004162DA Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetClassInfoA.USER32(00400000,?,?), ref: 004162F1
                                                                                                              • GetClassInfoA.USER32(00000000,?,?), ref: 00416301
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClassInfo
                                                                                                              • String ID:
                                                                                                              • API String ID: 3534257612-0
                                                                                                              • Opcode ID: 0cefddb0d68ec1ee3d6e09aa9ac37d408dcb608ad702880eba3eeb66fdb88c2a
                                                                                                              • Instruction ID: dc9e2acc6f173dd0cc3aa24d84b637cb0067f0ccc6b7cec6a0fcec59befe77f5
                                                                                                              • Opcode Fuzzy Hash: 0cefddb0d68ec1ee3d6e09aa9ac37d408dcb608ad702880eba3eeb66fdb88c2a
                                                                                                              • Instruction Fuzzy Hash: 22E012B26015155ADB10DB999D81EE326DCDB09310B110167BE14CA246D764DD005BA4
                                                                                                              Function 004508E4 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,004703F1,?,00000000), ref: 004508FA
                                                                                                              • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,004703F1,?,00000000), ref: 00450902
                                                                                                                • Part of subcall function 004506A0: GetLastError.KERNEL32(004504BC,00450762,?,00000000,?,004977FC,00000001,00000000,00000002,00000000,0049795D,?,?,00000005,00000000,00497991), ref: 004506A3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$FilePointer
                                                                                                              • String ID:
                                                                                                              • API String ID: 1156039329-0
                                                                                                              • Opcode ID: 740b0e3b535324eeb3a184350110131e2b1ae31ce216053ff26069d2cbf9fe72
                                                                                                              • Instruction ID: a22a311b57bf1dff13f45894218d9c0eaf9de3d8271a2984ee0ce7717fd7efee
                                                                                                              • Opcode Fuzzy Hash: 740b0e3b535324eeb3a184350110131e2b1ae31ce216053ff26069d2cbf9fe72
                                                                                                              • Instruction Fuzzy Hash: E0E012B53042059BFB00FA6599C1F3B63DCDB44315F00447AB984CF187D674CC155B29
                                                                                                              Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Virtual$AllocFree
                                                                                                              • String ID:
                                                                                                              • API String ID: 2087232378-0
                                                                                                              • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                                              • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                                                              • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                                              • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                                                              Function 004085E4 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,0040871A), ref: 00408603
                                                                                                                • Part of subcall function 00406DF4: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E11
                                                                                                                • Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 1658689577-0
                                                                                                              • Opcode ID: 2ab4847006ef9acfce6ccb5f1f64a91e8b74d27154e4f0e7901e4566ca639e1f
                                                                                                              • Instruction ID: ea6634d2ed8774f5e90a5a6f355d63bed973dafba18e0ec7d48b30ffe24ea089
                                                                                                              • Opcode Fuzzy Hash: 2ab4847006ef9acfce6ccb5f1f64a91e8b74d27154e4f0e7901e4566ca639e1f
                                                                                                              • Instruction Fuzzy Hash: C4314375E001199BCF01DF95C8819EEB7B9FF84314F15857BE815AB286E738AE018B98
                                                                                                              Function 0041FBAC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC49
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoScroll
                                                                                                              • String ID:
                                                                                                              • API String ID: 629608716-0
                                                                                                              • Opcode ID: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                                                              • Instruction ID: 2c7078d87c5cd90d2d28a279248f0ceb63a34b6d02ec849610dd04de18f9c6e3
                                                                                                              • Opcode Fuzzy Hash: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                                                              • Instruction Fuzzy Hash: AA213EB1608745AFD350DF39D4407AABBE4BB48314F04893EA498C3741E778E99ACBD6
                                                                                                              Function 0046C6F8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                                                • Part of subcall function 0041EEB4: 73EB5940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042EEC0,?,00000001), ref: 0041EF09
                                                                                                              • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C756,?,00000000,?,?,0046C968,?,00000000,0046C9DC), ref: 0046C73A
                                                                                                                • Part of subcall function 0041EF68: IsWindow.USER32(?), ref: 0041EF76
                                                                                                                • Part of subcall function 0041EF68: EnableWindow.USER32(?,00000001), ref: 0041EF85
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$B5940CurrentEnablePathPrepareThreadWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 2478441650-0
                                                                                                              • Opcode ID: 7310e4a240e1736cfb30b9abd7a9c8d32e29debdd45fb2130da0edd2c14fc99c
                                                                                                              • Instruction ID: 552ca42e7a4f22222615ff1de8f8c20df724e6475abae56b3c63f202feb1ec23
                                                                                                              • Opcode Fuzzy Hash: 7310e4a240e1736cfb30b9abd7a9c8d32e29debdd45fb2130da0edd2c14fc99c
                                                                                                              • Instruction Fuzzy Hash: 28F0E270248300FFEB059BB2EDD6B2577E8E319716F91043BF504866D0EA795D40C96E
                                                                                                              Function 004413A4 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3934441357-0
                                                                                                              • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                                              • Instruction ID: d0e136ad155d69288fc423feb27b218c22c44688115b59a91c3ffefc647f2292
                                                                                                              • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                                              • Instruction Fuzzy Hash: F0F0FF70509209DBBB1CCF54D0919AF7B71EB59310F20806FE907877A0D6346A80D759
                                                                                                              Function 00416560 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416595
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 716092398-0
                                                                                                              • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                                              • Instruction ID: 39ad6e161323637dbb8254467e02d50acedd081d31d6b9d15e1adfc5f54150e8
                                                                                                              • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                                              • Instruction Fuzzy Hash: 6EF02BB2200510AFDB84CF9CD9C0F9373ECEB0C210B0481A6FA08CF24AD220EC108BB0
                                                                                                              Function 004149C4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149FF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CallbackDispatcherUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2492992576-0
                                                                                                              • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                              • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                                              • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                              • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                                              Function 004507B0 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004507F0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: 838f498b19bb2aafec3be0ee987651bf511c4e6d2f63907cf4f88042037e4973
                                                                                                              • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                                                              • Opcode Fuzzy Hash: 838f498b19bb2aafec3be0ee987651bf511c4e6d2f63907cf4f88042037e4973
                                                                                                              • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                                                              Function 0042CCDC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD24,?,00000001,?,?,00000000,?,0042CD76,00000000,00452A11,00000000,00452A32,?,00000000), ref: 0042CD07
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AttributesFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 3188754299-0
                                                                                                              • Opcode ID: a570e9d0cc49cd9ea48ac8d9958fbde071fca7bece3969a5989dcb135d147aed
                                                                                                              • Instruction ID: bebe06870d533199fa05ec681e6f815a7bc371a3e359dcca221b2f893a48d47d
                                                                                                              • Opcode Fuzzy Hash: a570e9d0cc49cd9ea48ac8d9958fbde071fca7bece3969a5989dcb135d147aed
                                                                                                              • Instruction Fuzzy Hash: 0AE06571304308BFD701EB62EC92A5EBBECD749714B914476B400D7592D5B86E008458
                                                                                                              Function 0042E8D8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045325F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FormatMessage
                                                                                                              • String ID:
                                                                                                              • API String ID: 1306739567-0
                                                                                                              • Opcode ID: 1d16c149c237ab05d394d1dcd15bc1a2ba242a73302d35381885c392630e106f
                                                                                                              • Instruction ID: 1e04b5e42f682bd3307758a00633d1e15c64123c11c882a5e2d093d9edca25ee
                                                                                                              • Opcode Fuzzy Hash: 1d16c149c237ab05d394d1dcd15bc1a2ba242a73302d35381885c392630e106f
                                                                                                              • Instruction Fuzzy Hash: E7E0D86178432126F23524166C43B7B110E43C0704FD080267A809F3D6D6EE9949425E
                                                                                                              Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateWindowExA.USER32(00000000,0042368C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00406329
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 716092398-0
                                                                                                              • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                                              • Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
                                                                                                              • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                                              • Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1
                                                                                                              Function 0042DDF4 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE20
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: b59592ccec0b1853c0d50eb209755673f49d30f0d63234ebc8c06611609486a1
                                                                                                              • Instruction ID: 00bf656f3cc58d957e3fc120c7d975a7f6f089e768df8f95d2ce2a55afbcf34e
                                                                                                              • Opcode Fuzzy Hash: b59592ccec0b1853c0d50eb209755673f49d30f0d63234ebc8c06611609486a1
                                                                                                              • Instruction Fuzzy Hash: 69E07EB2600119AF9B40DE8CDC81EEB37ADAB1D350F414016FA08E7200C274EC519BB4
                                                                                                              Function 00454BE4 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindClose.KERNEL32(00000000,000000FF,00470C14,00000000,00471A10,?,00000000,00471A59,?,00000000,00471B92,?,00000000,?,00000000), ref: 00454BFA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseFind
                                                                                                              • String ID:
                                                                                                              • API String ID: 1863332320-0
                                                                                                              • Opcode ID: cdb9c2b7633e0d7853738bb459b1a46babdaf032508dd36dba6af5da7df12373
                                                                                                              • Instruction ID: 3c3cb6916585ff7422749358fc170cdffb6a73b651657da6609ae8be1e4b77d0
                                                                                                              • Opcode Fuzzy Hash: cdb9c2b7633e0d7853738bb459b1a46babdaf032508dd36dba6af5da7df12373
                                                                                                              • Instruction Fuzzy Hash: A7E065B0A056004BCB15DF3A858021A76D25FC5325F05C96AAC58CF397D63C84955656
                                                                                                              Function 0041468C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • KiUserCallbackDispatcher.NTDLL(004953B6,?,004953D8,?,?,00000000,004953B6,?,?), ref: 004146AB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CallbackDispatcherUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2492992576-0
                                                                                                              • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                              • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                                              • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                              • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                                              Function 00406F18 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F2C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3934441357-0
                                                                                                              • Opcode ID: 5f93265df2524d0dcc0c9b34101366d534c30ce5f0cb0d235cb6b24d2b8f20db
                                                                                                              • Instruction ID: 1f586823f232578dbf745533d190da316c23ef772c10fc749b20f2ce5ea51255
                                                                                                              • Opcode Fuzzy Hash: 5f93265df2524d0dcc0c9b34101366d534c30ce5f0cb0d235cb6b24d2b8f20db
                                                                                                              • Instruction Fuzzy Hash: E0D05B723091117AD620955F6C44DA76BDCCBC5770F11063EB558D72C1D7309C01C675
                                                                                                              Function 0042365C Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00423608: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042361D
                                                                                                              • ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                                                • Part of subcall function 00423638: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423654
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoParametersSystem$ShowWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 3202724764-0
                                                                                                              • Opcode ID: 6539159081c566a845655d997cb077fb8df4a929aa301bd67fb88950e555413a
                                                                                                              • Instruction ID: 40ba6511a88705317f68f90b714cf273492cbff5df7e869aa0dea3a735aecdb5
                                                                                                              • Opcode Fuzzy Hash: 6539159081c566a845655d997cb077fb8df4a929aa301bd67fb88950e555413a
                                                                                                              • Instruction Fuzzy Hash: 89D05E123831B03106307BB72805ACB86AC8D966AB389047BB5409B302E91E8A0A61AC
                                                                                                              Function 004242D4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: TextWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 530164218-0
                                                                                                              • Opcode ID: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
                                                                                                              • Instruction ID: 772c2b490b6417829154bcce5d0a54014a2db275ddfc333997dbbca6f26d49c5
                                                                                                              • Opcode Fuzzy Hash: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
                                                                                                              • Instruction Fuzzy Hash: 7ED05EE27011702BCB01BAED54C4AC667CC9B8825AB1940BBF904EF257C678CE4083A8
                                                                                                              Function 0042CD34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,004515B7,00000000), ref: 0042CD3F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AttributesFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 3188754299-0
                                                                                                              • Opcode ID: 25b3c26d3c79b78b40e0be7c0404abf70c39e9d787657ef1c43052f1caeba7d8
                                                                                                              • Instruction ID: 866207c2a99293721dc17515f5e31636ca325c5e587501d47fbe5ff4e718b97c
                                                                                                              • Opcode Fuzzy Hash: 25b3c26d3c79b78b40e0be7c0404abf70c39e9d787657ef1c43052f1caeba7d8
                                                                                                              • Instruction Fuzzy Hash: 77C08CE03222001A9A20A6BD2CC950F06CC891437A3A41F77B439E72E2D23DD8162018
                                                                                                              Function 00466EAC Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467B94,00000000,00000000,00000000,0000000C,00000000), ref: 00466EC4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CallbackDispatcherUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2492992576-0
                                                                                                              • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                              • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                                              • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                              • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                                              Function 00406EC8 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A8D4,0040CE80,?,00000000,?), ref: 00406EE5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: 69b9da7e15ce352a50602e67f4a233c0d3270223495d3e32e43592fe9d1f4da4
                                                                                                              • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                                              • Opcode Fuzzy Hash: 69b9da7e15ce352a50602e67f4a233c0d3270223495d3e32e43592fe9d1f4da4
                                                                                                              • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                                              Function 00450918 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetEndOfFile.KERNEL32(?,?,0045C6A6,00000000,0045C831,?,00000000,00000002,00000002), ref: 0045091F
                                                                                                                • Part of subcall function 004506A0: GetLastError.KERNEL32(004504BC,00450762,?,00000000,?,004977FC,00000001,00000000,00000002,00000000,0049795D,?,?,00000005,00000000,00497991), ref: 004506A3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 734332943-0
                                                                                                              • Opcode ID: 2f3da4ea7652235e9563b7b11f328aef08bde54833d269609cfe7e93d4b3e5df
                                                                                                              • Instruction ID: d892f33e09ba9bc7304af59ed1bd982b4427bde6cd355302a364b0e8927efaaf
                                                                                                              • Opcode Fuzzy Hash: 2f3da4ea7652235e9563b7b11f328aef08bde54833d269609cfe7e93d4b3e5df
                                                                                                              • Instruction Fuzzy Hash: 2DC04CA9300101879F00BAAE95D190663D85E583057504066B944CF207D668D8144A18
                                                                                                              Function 004072B0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetCurrentDirectoryA.KERNEL32(00000000,?,0049778A,00000000,0049795D,?,?,00000005,00000000,00497991,?,?,00000000), ref: 004072BB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CurrentDirectory
                                                                                                              • String ID:
                                                                                                              • API String ID: 1611563598-0
                                                                                                              • Opcode ID: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
                                                                                                              • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                                                              • Opcode Fuzzy Hash: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
                                                                                                              • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                                                              Function 0042E3FF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(?,0042E41D), ref: 0042E410
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 2340568224-0
                                                                                                              • Opcode ID: 874db3389c4172aa30432ca027f259e533f636a378579170be3356e0d0ef28c9
                                                                                                              • Instruction ID: 55140b1eedf56d48a55774d01a07de49d55d18186a895614534630d02c3c9fff
                                                                                                              • Opcode Fuzzy Hash: 874db3389c4172aa30432ca027f259e533f636a378579170be3356e0d0ef28c9
                                                                                                              • Instruction Fuzzy Hash: D4B09B7671C6105DFB05D695745152D63D4D7C57203E14577F010D7580D53D58004D18
                                                                                                              Function 004165FC Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                                                              • Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
                                                                                                              • Opcode Fuzzy Hash: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                                                              • Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58
                                                                                                              Function 00448738 Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f5c68f552ed74045d4ecaf4ea1ad1c13e781980e3dd0252519992c1da40edc52
                                                                                                              • Instruction ID: 3a42617683b163d9d3e29dc322e321d1f787465d7b697eb1a78dfeb7447b1e7e
                                                                                                              • Opcode Fuzzy Hash: f5c68f552ed74045d4ecaf4ea1ad1c13e781980e3dd0252519992c1da40edc52
                                                                                                              • Instruction Fuzzy Hash: CB518574E042099FEB01EFA9C892AAEBBF5EF49314F50417AE500E7351DB389D45CB98
                                                                                                              Function 0047DA48 Relevance: 1.4, APIs: 1, Instructions: 150COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0047DC20,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DBDA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide
                                                                                                              • String ID:
                                                                                                              • API String ID: 626452242-0
                                                                                                              • Opcode ID: 6347e2abfdb9d8760a4239e6b67e4a018abca6dee8a8eb8bc94886bd32a16ad8
                                                                                                              • Instruction ID: a4a2cf2857c8d8ea8b604d5a3bb359359cf50968c17c86877c7e7666634e0114
                                                                                                              • Opcode Fuzzy Hash: 6347e2abfdb9d8760a4239e6b67e4a018abca6dee8a8eb8bc94886bd32a16ad8
                                                                                                              • Instruction Fuzzy Hash: 79519C30A04248AFDB20DF65D8C5BAABBB8EB18304F118077E804A73A1D778AD45CB59
                                                                                                              Function 0041F3D4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: 6d92aa0cb1a2d53983b86e461a62a4ce5a5a47657027c2647c88d78d486bc28e
                                                                                                              • Instruction ID: 6bd7adec2090487eae29abc1928bf57af59456791c97a49d6ef8c5917aacc84c
                                                                                                              • Opcode Fuzzy Hash: 6d92aa0cb1a2d53983b86e461a62a4ce5a5a47657027c2647c88d78d486bc28e
                                                                                                              • Instruction Fuzzy Hash: 0E1148742007069BC710DF19D880B86FBE5EB98390B10C53BE9588B385D374E8558BA9
                                                                                                              Function 00452FB0 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,00453019), ref: 00452FFB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 1452528299-0
                                                                                                              • Opcode ID: 0834ab1e0ff74d13c83467379b9d37ae80668f7e4bd4fe23633cfebca466aa95
                                                                                                              • Instruction ID: 3702fe8876d82bde104835ae14f19b545f9b4323f369928b31ff8c7c86e788f0
                                                                                                              • Opcode Fuzzy Hash: 0834ab1e0ff74d13c83467379b9d37ae80668f7e4bd4fe23633cfebca466aa95
                                                                                                              • Instruction Fuzzy Hash: 32014C356043086A8B10CF69AC004AEFBE8DB4D7217108277FC14D3382DA744E0496E4
                                                                                                              Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00001CAC,00005CAF,00401973), ref: 00401766
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 1263568516-0
                                                                                                              • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                                              • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                                                              • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                                              • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                                                              Function 00406F50 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 2962429428-0
                                                                                                              • Opcode ID: b938081ec37ef3dcaeb0613a6c9f19dce7446eae7aee343fbba8aa446800b67d
                                                                                                              • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                                              • Opcode Fuzzy Hash: b938081ec37ef3dcaeb0613a6c9f19dce7446eae7aee343fbba8aa446800b67d
                                                                                                              • Instruction Fuzzy Hash:

                                                                                                              Non-executed Functions

                                                                                                              Function 0041F128 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                                                              • SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                                                              • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                                                              • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                                                              • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                                                              • FreeLibrary.KERNEL32(00000001,?,00419000,00000000,?,?,?,00000001), ref: 0041F27F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                                              • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                                              • API String ID: 2323315520-3614243559
                                                                                                              • Opcode ID: 7561659b3b600d63638f3944902fd7923d8484a487a3f9680a3db5d0744bedbe
                                                                                                              • Instruction ID: d5058fc073e0ad59750b6b6eed82d26134d8568d962b0a84cfd108907e917b52
                                                                                                              • Opcode Fuzzy Hash: 7561659b3b600d63638f3944902fd7923d8484a487a3f9680a3db5d0744bedbe
                                                                                                              • Instruction Fuzzy Hash: 8D310DB2640700EBEB01EBB9AC86A663294F728724745093FB508DB192D77C5C49CB1C
                                                                                                              Function 0045892C Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetTickCount.KERNEL32 ref: 00458993
                                                                                                              • QueryPerformanceCounter.KERNEL32(02133858,00000000,00458C26,?,?,02133858,00000000,?,00459322,?,02133858,00000000), ref: 0045899C
                                                                                                              • GetSystemTimeAsFileTime.KERNEL32(02133858,02133858), ref: 004589A6
                                                                                                              • GetCurrentProcessId.KERNEL32(?,02133858,00000000,00458C26,?,?,02133858,00000000,?,00459322,?,02133858,00000000), ref: 004589AF
                                                                                                              • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458A25
                                                                                                              • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02133858,02133858), ref: 00458A33
                                                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,00458BE2), ref: 00458A7B
                                                                                                              • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00458BD1,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,00458BE2), ref: 00458AB4
                                                                                                                • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458B5D
                                                                                                              • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00458B93
                                                                                                              • CloseHandle.KERNEL32(000000FF,00458BD8,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458BCB
                                                                                                                • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                                              • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                                              • API String ID: 770386003-3271284199
                                                                                                              • Opcode ID: b3cb95de96f0a494fe77a0225261b47a74f516519aada3d90b4a318c7d3773ef
                                                                                                              • Instruction ID: 46381a2ef6f5f7687f8d932114089cfc0a3b3023078b53c1614b04e084b280c9
                                                                                                              • Opcode Fuzzy Hash: b3cb95de96f0a494fe77a0225261b47a74f516519aada3d90b4a318c7d3773ef
                                                                                                              • Instruction Fuzzy Hash: 02711370A04348AEDB11DB69CC41B5EBBF8EB15705F1084BAB944FB282DB7859488B69
                                                                                                              Function 00478420 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0047828C: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02132BD0,?,?,?,02132BD0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782A5
                                                                                                                • Part of subcall function 0047828C: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004782AB
                                                                                                                • Part of subcall function 0047828C: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02132BD0,?,?,?,02132BD0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782BE
                                                                                                                • Part of subcall function 0047828C: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02132BD0,?,?,?,02132BD0), ref: 004782E8
                                                                                                                • Part of subcall function 0047828C: CloseHandle.KERNEL32(00000000,?,?,?,02132BD0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 00478306
                                                                                                                • Part of subcall function 00478364: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004783F6,?,?,?,02132BD0,?,00478458,00000000,0047856E,?,?,-00000010,?), ref: 00478394
                                                                                                              • ShellExecuteEx.SHELL32(0000003C), ref: 004784A8
                                                                                                              • GetLastError.KERNEL32(00000000,0047856E,?,?,-00000010,?), ref: 004784B1
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004784FE
                                                                                                              • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478522
                                                                                                              • CloseHandle.KERNEL32(00000000,00478553,00000000,00000000,000000FF,000000FF,00000000,0047854C,?,00000000,0047856E,?,?,-00000010,?), ref: 00478546
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                                              • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                                              • API String ID: 883996979-221126205
                                                                                                              • Opcode ID: 7bc79704bed3dd733a1086ace77ac7314c1c869dae30f57a13a5b111f7ab0a8e
                                                                                                              • Instruction ID: be90243bdd9c3757315ff9bbcfcad83cd6a8df60a98d136a70e83fac94f3d3e4
                                                                                                              • Opcode Fuzzy Hash: 7bc79704bed3dd733a1086ace77ac7314c1c869dae30f57a13a5b111f7ab0a8e
                                                                                                              • Instruction Fuzzy Hash: E0314670A40609BEDB11EFAAD845ADEB6B8EF05314F50847FF518E7281DB7C89058B19
                                                                                                              Function 0042286C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422A04
                                                                                                              • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BCE), ref: 00422A14
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSendShowWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 1631623395-0
                                                                                                              • Opcode ID: ba2239a6b7e39db5a6c256e0bd052b844ec1d952261cb85ab3a20d26880a6eee
                                                                                                              • Instruction ID: ac1ceeab966790095f9612ce7a7db5e594191b89627cdcc61fab65d1acc55ab9
                                                                                                              • Opcode Fuzzy Hash: ba2239a6b7e39db5a6c256e0bd052b844ec1d952261cb85ab3a20d26880a6eee
                                                                                                              • Instruction Fuzzy Hash: 79914071B04214BFD711EFA9DA86F9D77F4AB04314F5500BAF504AB3A2CB78AE409B58
                                                                                                              Function 00418394 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsIconic.USER32(?), ref: 004183A3
                                                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 004183C0
                                                                                                              • GetWindowRect.USER32(?), ref: 004183DC
                                                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 004183EA
                                                                                                              • GetWindowLongA.USER32(?,000000F8), ref: 004183FF
                                                                                                              • ScreenToClient.USER32(00000000), ref: 00418408
                                                                                                              • ScreenToClient.USER32(00000000,?), ref: 00418413
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                                              • String ID: ,
                                                                                                              • API String ID: 2266315723-3772416878
                                                                                                              • Opcode ID: 6217f91ca86bc21168c1a31dc77beadf87db026dacfe8a4e2043101b83599555
                                                                                                              • Instruction ID: f1655e9c1aaa1f9d3e17845697c0dfec8ab0781743990dff6cd0a114faef5a7c
                                                                                                              • Opcode Fuzzy Hash: 6217f91ca86bc21168c1a31dc77beadf87db026dacfe8a4e2043101b83599555
                                                                                                              • Instruction Fuzzy Hash: D6112B71505201AFDB00EF69C885F9B77E8AF49314F18067EBD58DB286D738D900CBA9
                                                                                                              Function 004555D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(00000028), ref: 004555DF
                                                                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555E5
                                                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004555FE
                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455625
                                                                                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045562A
                                                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 0045563B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                              • String ID: SeShutdownPrivilege
                                                                                                              • API String ID: 107509674-3733053543
                                                                                                              • Opcode ID: 905e5c4f0c040865ada5a790a5680192090f128290145b13f19b3701cccf3d3d
                                                                                                              • Instruction ID: f0f78ca649e8ddc1473c2e21848b41e7847a09c75f53dffa28e6f5675cd8c776
                                                                                                              • Opcode Fuzzy Hash: 905e5c4f0c040865ada5a790a5680192090f128290145b13f19b3701cccf3d3d
                                                                                                              • Instruction Fuzzy Hash: 32F0F670284B42B9E610AA758C13F3B21C89B40B49F80083EBD09EA1C3D7BDC80C4A2F
                                                                                                              Function 0045D4EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D4F5
                                                                                                              • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D505
                                                                                                              • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D515
                                                                                                              • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F47B,00000000,0047F4A4), ref: 0045D53A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$CryptVersion
                                                                                                              • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                                              • API String ID: 1951258720-508647305
                                                                                                              • Opcode ID: 6323a5a980eb8feb456ca02504bfb6ad995229d531f09a6584140c28355fd360
                                                                                                              • Instruction ID: 2c2546d05897d0e560449e180de6b9da44e6f0241588afb6de3da162f6531889
                                                                                                              • Opcode Fuzzy Hash: 6323a5a980eb8feb456ca02504bfb6ad995229d531f09a6584140c28355fd360
                                                                                                              • Instruction Fuzzy Hash: 3AF012F0940704EBEB18DFB6BCC67623695ABD531AF14C137A404A51A2E778044CCE1D
                                                                                                              Function 00497A74 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00497BB2,?,?,00000000,0049B628,?,00497D3C,00000000,00497D90,?,?,00000000,0049B628), ref: 00497ACB
                                                                                                              • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00497B4E
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00497B8A,?,00000000,?,00000000,00497BB2,?,?,00000000,0049B628,?,00497D3C,00000000), ref: 00497B66
                                                                                                              • FindClose.KERNEL32(000000FF,00497B91,00497B8A,?,00000000,?,00000000,00497BB2,?,?,00000000,0049B628,?,00497D3C,00000000,00497D90), ref: 00497B84
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFind$AttributesCloseFirstNext
                                                                                                              • String ID: isRS-$isRS-???.tmp
                                                                                                              • API String ID: 134685335-3422211394
                                                                                                              • Opcode ID: ba647548f34564e7f56f6c808fa7faec3af05a969934c2433d5159a38f0bbcda
                                                                                                              • Instruction ID: b2847bb1a44685988a55541ee7ac685ebeb66ffb5e30493f66813578f7a68db2
                                                                                                              • Opcode Fuzzy Hash: ba647548f34564e7f56f6c808fa7faec3af05a969934c2433d5159a38f0bbcda
                                                                                                              • Instruction Fuzzy Hash: A63165719146186FCF10EF65CC41ADEBBBCDB45318F5084F7A808A32A1E638AE458F58
                                                                                                              Function 004573CC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 238windownativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457449
                                                                                                              • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457470
                                                                                                              • SetForegroundWindow.USER32(?), ref: 00457481
                                                                                                              • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,0045775B,?,00000000,00457797), ref: 00457746
                                                                                                              Strings
                                                                                                              • Cannot evaluate variable because [Code] isn't running yet, xrefs: 004575C6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                                              • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                                              • API String ID: 2236967946-3182603685
                                                                                                              • Opcode ID: fe95ac23089f8abddac86e3d9ae11b4981b9e88786854755ce7e63a50dbcddc8
                                                                                                              • Instruction ID: 5bc10c0d354cae83c82450a0913647aad13fd3ad71d4eb48676ad76960377df7
                                                                                                              • Opcode Fuzzy Hash: fe95ac23089f8abddac86e3d9ae11b4981b9e88786854755ce7e63a50dbcddc8
                                                                                                              • Instruction Fuzzy Hash: D9910034608204EFD715CF54E991F5ABBF9EB89305F2180BAED0897792D638AE04DF58
                                                                                                              Function 00455DF8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F37), ref: 00455E28
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E2E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                              • API String ID: 1646373207-3712701948
                                                                                                              • Opcode ID: b5f149e20a31f3d313834126475bcf244ddb8ed42aa7b007c000aa6233a22d25
                                                                                                              • Instruction ID: 12dfdd1b414f9b5fa57bb507e68127e36b1c1a940f154b23c6ee37fdedd7ee09
                                                                                                              • Opcode Fuzzy Hash: b5f149e20a31f3d313834126475bcf244ddb8ed42aa7b007c000aa6233a22d25
                                                                                                              • Instruction Fuzzy Hash: 66415171A04649AFCF01EFA5C8929EFB7B8EF49304F508566F800F7252D6785E09CB69
                                                                                                              Function 00417CE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsIconic.USER32(?), ref: 00417D1F
                                                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                                                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Placement$Iconic
                                                                                                              • String ID: ,
                                                                                                              • API String ID: 568898626-3772416878
                                                                                                              • Opcode ID: 419626ddcb93f619c016e5eb608395eb97e33a9638738bd346f5ce49c9230b00
                                                                                                              • Instruction ID: 117db6d3727d0f94901dea8748b8d47281c3d2add8a8e77c7f929e434730b1f7
                                                                                                              • Opcode Fuzzy Hash: 419626ddcb93f619c016e5eb608395eb97e33a9638738bd346f5ce49c9230b00
                                                                                                              • Instruction Fuzzy Hash: 41213171604208ABCF40EF69E8C0EEA77B8AF49314F05456AFD18DF246C678DD84CB68
                                                                                                              Function 00464048 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(00000001,00000000,00464205), ref: 00464079
                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,004641D8,?,00000001,00000000,00464205), ref: 00464108
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,004641BA,?,00000000,?,00000000,004641D8,?,00000001,00000000,00464205), ref: 0046419A
                                                                                                              • FindClose.KERNEL32(000000FF,004641C1,004641BA,?,00000000,?,00000000,004641D8,?,00000001,00000000,00464205), ref: 004641B4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 4011626565-0
                                                                                                              • Opcode ID: ae980c7907389dfafffe65f94222ffd443bde6570b10391f97ae33023227fa5d
                                                                                                              • Instruction ID: 2652c2d8e8669354d55d474f1d59e7b06630ff05c6329d0403030a32038cf055
                                                                                                              • Opcode Fuzzy Hash: ae980c7907389dfafffe65f94222ffd443bde6570b10391f97ae33023227fa5d
                                                                                                              • Instruction Fuzzy Hash: 1E418770A00618AFCF10EF65DC55ADEB7B8EB89705F5044BAF804E7381E67C9E848E59
                                                                                                              Function 004644C4 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(00000001,00000000,004646AB), ref: 00464539
                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00464676,?,00000001,00000000,004646AB), ref: 0046457F
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00464658,?,00000000,?,00000000,00464676,?,00000001,00000000,004646AB), ref: 00464634
                                                                                                              • FindClose.KERNEL32(000000FF,0046465F,00464658,?,00000000,?,00000000,00464676,?,00000001,00000000,004646AB), ref: 00464652
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 4011626565-0
                                                                                                              • Opcode ID: 8a1b155a3f91a4aa9fbf35308e738363c59e35d7d54ec670dc4b6b29b87b573a
                                                                                                              • Instruction ID: 7635123f594c8b6db569002a9bb01bf8fa96c74c2cf80da52efac59b167f1e7c
                                                                                                              • Opcode Fuzzy Hash: 8a1b155a3f91a4aa9fbf35308e738363c59e35d7d54ec670dc4b6b29b87b573a
                                                                                                              • Instruction Fuzzy Hash: D8416171A00A18EBCB10EFA5CC959DEB7B9EB88305F4044AAF804A7351E77C9E448E59
                                                                                                              Function 0042E944 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E966
                                                                                                              • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E991
                                                                                                              • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E99E
                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E9A6
                                                                                                              • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E9AC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 1177325624-0
                                                                                                              • Opcode ID: db388d08dfb8c48f2ab297580a8778080e815d8e8b0b37ff587e49df53ef3670
                                                                                                              • Instruction ID: 40e29ed62a0e901db822078ff48c294e58af048427126d47a83bbc7ee0829aa9
                                                                                                              • Opcode Fuzzy Hash: db388d08dfb8c48f2ab297580a8778080e815d8e8b0b37ff587e49df53ef3670
                                                                                                              • Instruction Fuzzy Hash: 4BF090B23A17207AF620B57A6C86F7F418CC785B68F10823BBB04FF1C1D9A85D05556D
                                                                                                              Function 004833BC Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsIconic.USER32(?), ref: 004833FA
                                                                                                              • GetWindowLongA.USER32(00000000,000000F0), ref: 00483418
                                                                                                              • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A4,004828DE,00482912,00000000,00482932,?,?,?,0049C0A4), ref: 0048343A
                                                                                                              • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A4,004828DE,00482912,00000000,00482932,?,?,?,0049C0A4), ref: 0048344E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Show$IconicLong
                                                                                                              • String ID:
                                                                                                              • API String ID: 2754861897-0
                                                                                                              • Opcode ID: 26f2524beb83a1697fb2f3c3d4c3f5548a09f48141019de32dcd2365822c4b68
                                                                                                              • Instruction ID: 9902e76ed030cf172564c6423cfc444f456bf65fce7539c2ce1f68efba32f602
                                                                                                              • Opcode Fuzzy Hash: 26f2524beb83a1697fb2f3c3d4c3f5548a09f48141019de32dcd2365822c4b68
                                                                                                              • Instruction Fuzzy Hash: 4D017134A452019EEB11BBA5DD8AB5B27C45F10B09F08083BB9029F2A3CB6D9D41D71C
                                                                                                              Function 00462ABC Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00462B90), ref: 00462B14
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00462B70,?,00000000,?,00000000,00462B90), ref: 00462B50
                                                                                                              • FindClose.KERNEL32(000000FF,00462B77,00462B70,?,00000000,?,00000000,00462B90), ref: 00462B6A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$File$CloseFirstNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 3541575487-0
                                                                                                              • Opcode ID: f304b7e405ec9403326d096206e821460da1cdcff9736e6297f3d959ba5c8769
                                                                                                              • Instruction ID: 0f193a6fcf1d943c675bf75123405c31ceeb2ecab595186adb6c93933d2a98b0
                                                                                                              • Opcode Fuzzy Hash: f304b7e405ec9403326d096206e821460da1cdcff9736e6297f3d959ba5c8769
                                                                                                              • Instruction Fuzzy Hash: 7121D871904B087EDB11DF65CC51ADEBBACDB49704F5084F7E808E31A1E6BCAE44CA5A
                                                                                                              Function 004241EC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsIconic.USER32(?), ref: 004241F4
                                                                                                              • SetActiveWindow.USER32(?,?,?,0046CFFB), ref: 00424201
                                                                                                                • Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                                                • Part of subcall function 00423B24: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021325AC,0042421A,?,?,?,0046CFFB), ref: 00423B5F
                                                                                                              • SetFocus.USER32(00000000,?,?,?,0046CFFB), ref: 0042422E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ActiveFocusIconicShow
                                                                                                              • String ID:
                                                                                                              • API String ID: 649377781-0
                                                                                                              • Opcode ID: 362a53b09b72621cbce2071a633a460a23dddc7e90100e91eac1f534d9fc78be
                                                                                                              • Instruction ID: 85e094fd83fda52d6ba69bb43f194f943737e29f022f28d5c3d7585fd8a6de7d
                                                                                                              • Opcode Fuzzy Hash: 362a53b09b72621cbce2071a633a460a23dddc7e90100e91eac1f534d9fc78be
                                                                                                              • Instruction Fuzzy Hash: ECF03A717001208BDB10EFAAA8C4B9662A8EF48344B5500BBBC09DF34BCA7CDC0187A8
                                                                                                              Function 00417CDE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsIconic.USER32(?), ref: 00417D1F
                                                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                                                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Placement$Iconic
                                                                                                              • String ID:
                                                                                                              • API String ID: 568898626-0
                                                                                                              • Opcode ID: e9f294a83204c688928c4c422749f875b3ddc518ff0edd6358ab4a317cb2701d
                                                                                                              • Instruction ID: b3485382f52430a3de90e88073d2477855dbbaeb9eeee9907b508ce44eeb6dab
                                                                                                              • Opcode Fuzzy Hash: e9f294a83204c688928c4c422749f875b3ddc518ff0edd6358ab4a317cb2701d
                                                                                                              • Instruction Fuzzy Hash: 02017C31204108ABDB10EE69E8C1EEA73A8AF45324F054567FD08CF242D639ECC087A8
                                                                                                              Function 004175A8 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CaptureIconic
                                                                                                              • String ID:
                                                                                                              • API String ID: 2277910766-0
                                                                                                              • Opcode ID: 9fb93b599f870259b4000da7575617f39aed9b1e5bccbb5d02bb51a51f71ab84
                                                                                                              • Instruction ID: edcb67aebd7cb7e0e4c3241a821d6ac110e093164443c601d5aebb18a23c44a8
                                                                                                              • Opcode Fuzzy Hash: 9fb93b599f870259b4000da7575617f39aed9b1e5bccbb5d02bb51a51f71ab84
                                                                                                              • Instruction Fuzzy Hash: A2F04F32304A028BDB21A72EC885AEB62F5DF84368B14443FE415CB765EB7CDCD58758
                                                                                                              Function 004241A4 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsIconic.USER32(?), ref: 004241AB
                                                                                                                • Part of subcall function 00423A94: EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                                                                • Part of subcall function 00423A94: GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                                                                • Part of subcall function 00423A94: GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                                                                • Part of subcall function 00423A94: SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                                                              • SetActiveWindow.USER32(?,?,?,00423D83,00000000,0042416C), ref: 004241BF
                                                                                                                • Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                                              • String ID:
                                                                                                              • API String ID: 2671590913-0
                                                                                                              • Opcode ID: dcd3cf20cd52624e3855be4655b1b3d00803fdb590b5af4931fd0619bf418583
                                                                                                              • Instruction ID: ffd443eaca36288e12b0fd3e34cf0737071334a0f5e631569de285e60205db71
                                                                                                              • Opcode Fuzzy Hash: dcd3cf20cd52624e3855be4655b1b3d00803fdb590b5af4931fd0619bf418583
                                                                                                              • Instruction Fuzzy Hash: 02E0E5A470010187EF00EFAAD8C9B9662A9AB48304F55057ABC08CF24BDA78C954C724
                                                                                                              Function 004125E8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127E5), ref: 004127D3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NtdllProc_Window
                                                                                                              • String ID:
                                                                                                              • API String ID: 4255912815-0
                                                                                                              • Opcode ID: c048b5060f638d2d21f70beb9f23f52c1df829a0825c59c0675cf40435b3c9a3
                                                                                                              • Instruction ID: 2af12fea25256c3ae9471bae8fd4feed52cec15eb5e351c91de8273fd3ce68b3
                                                                                                              • Opcode Fuzzy Hash: c048b5060f638d2d21f70beb9f23f52c1df829a0825c59c0675cf40435b3c9a3
                                                                                                              • Instruction Fuzzy Hash: 055106316082058FD710DB6AD681A9BF3E5FF98304B2482BBD814C7392D7B8EDA1C759
                                                                                                              Function 004789DC Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478B2A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NtdllProc_Window
                                                                                                              • String ID:
                                                                                                              • API String ID: 4255912815-0
                                                                                                              • Opcode ID: 9f19c8960208bf84e0a1f031f05f2c13e84af91581ae166fbadb947181b78a5a
                                                                                                              • Instruction ID: 518aae51b6d6b411e39a58dd47dc5b2362a2c83c3bfed1ee6c3543fdde473bb3
                                                                                                              • Opcode Fuzzy Hash: 9f19c8960208bf84e0a1f031f05f2c13e84af91581ae166fbadb947181b78a5a
                                                                                                              • Instruction Fuzzy Hash: 04413775644104DFCB10CF99C6898AAB7F5FB48310B74CA9AE848DB705DB38EE41DB54
                                                                                                              Function 0045D5A0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045D5AB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CryptFour
                                                                                                              • String ID:
                                                                                                              • API String ID: 2153018856-0
                                                                                                              • Opcode ID: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
                                                                                                              • Instruction ID: 2e238a974be0c8424367b3c35ccc205e7f0a308c5ec670be841bb4718b7179ff
                                                                                                              • Opcode Fuzzy Hash: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
                                                                                                              • Instruction Fuzzy Hash: 37C09BF200420CBF660057D5ECC9C77B75CF6586547508126F6048210195726C104574
                                                                                                              Function 0045D5B8 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DDBC,?,0046DF9D), ref: 0045D5BE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CryptFour
                                                                                                              • String ID:
                                                                                                              • API String ID: 2153018856-0
                                                                                                              • Opcode ID: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
                                                                                                              • Instruction ID: 227689971defb3a768f182aa15824e3680876923b4d994b81e1676941902ce31
                                                                                                              • Opcode Fuzzy Hash: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
                                                                                                              • Instruction Fuzzy Hash: 9DA002B0A80300BAFD2057B05D4EF26352CA7D0F05F708465B202EA0D085A56410852C
                                                                                                              Function 10001130 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3608273842.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3608216344.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3608347423.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10000000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                                              • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                                              • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                                              • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                                              Function 10001000 Relevance: .0, Instructions: 2COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3608273842.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3608216344.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3608347423.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10000000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                                              • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                                              • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                                              • Instruction Fuzzy Hash:
                                                                                                              Function 0044B668 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0044B614: GetVersionExA.KERNEL32(00000094), ref: 0044B631
                                                                                                              • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F785,004985C2), ref: 0044B68F
                                                                                                              • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B6A7
                                                                                                              • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6B9
                                                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6CB
                                                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6DD
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6EF
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B701
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B713
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B725
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B737
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B749
                                                                                                              • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B75B
                                                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B76D
                                                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B77F
                                                                                                              • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B791
                                                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B7A3
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7B5
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7C7
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7D9
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7EB
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7FD
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B80F
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B821
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B833
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B845
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B857
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B869
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B87B
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B88D
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B89F
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8B1
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8C3
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8D5
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8E7
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8F9
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B90B
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B91D
                                                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B92F
                                                                                                              • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B941
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B953
                                                                                                              • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B965
                                                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B977
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B989
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B99B
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B9AD
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9BF
                                                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9D1
                                                                                                              • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9E3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$LibraryLoadVersion
                                                                                                              • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                                              • API String ID: 1968650500-2910565190
                                                                                                              • Opcode ID: 0c8e19753f2f8210615bc5a5f26c821a667ede831694cf2c59d6b62027e60e29
                                                                                                              • Instruction ID: 346aa6b979044c2d6f95573bc57da9b6801dc261a15d858c7a91061cf3dc2738
                                                                                                              • Opcode Fuzzy Hash: 0c8e19753f2f8210615bc5a5f26c821a667ede831694cf2c59d6b62027e60e29
                                                                                                              • Instruction Fuzzy Hash: CC91E7B0A40B50EBEF00EBF5ADC6A2637A8EB15B14714467BB444EF295D778D800CF99
                                                                                                              Function 00458184 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 237filesynchronizationprocessCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateMutexA.KERNEL32(00499B18,00000001,00000000,00000000,004584B9,?,?,?,00000001,?,004586D3,00000000,004586E9,?,00000000,0049B628), ref: 004581D1
                                                                                                              • CreateFileMappingA.KERNEL32(000000FF,00499B18,00000004,00000000,00002018,00000000), ref: 00458209
                                                                                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,0045848F,?,00499B18,00000001,00000000,00000000,004584B9,?,?,?), ref: 00458230
                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045833D
                                                                                                              • ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,0045848F,?,00499B18,00000001,00000000,00000000,004584B9), ref: 00458295
                                                                                                                • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                                              • CloseHandle.KERNEL32(004586D3,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458354
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,004586D3,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045838D
                                                                                                              • GetLastError.KERNEL32(00000000,000000FF,004586D3,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045839F
                                                                                                              • UnmapViewOfFile.KERNEL32(00000000,00458496,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458471
                                                                                                              • CloseHandle.KERNEL32(00000000,00458496,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458480
                                                                                                              • CloseHandle.KERNEL32(00000000,00458496,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458489
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
                                                                                                              • String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp
                                                                                                              • API String ID: 4012871263-351310198
                                                                                                              • Opcode ID: cc7ad6ccf5233eaebe813f6a5333062681ccb791baa3dad4f168156cebafbadf
                                                                                                              • Instruction ID: 29107a7cf73729034b65a1fcaaf08eab05738b19563c620e852bf3134b102344
                                                                                                              • Opcode Fuzzy Hash: cc7ad6ccf5233eaebe813f6a5333062681ccb791baa3dad4f168156cebafbadf
                                                                                                              • Instruction Fuzzy Hash: 46914170A002099BDB10EFA9C845B9EB7B4EB05305F50856FED14FB283DF7899498F69
                                                                                                              Function 0041CA1C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • 73EAA570.USER32(00000000,?,0041A954,?), ref: 0041CA50
                                                                                                              • 73EB4C40.GDI32(?,00000000,?,0041A954,?), ref: 0041CA5C
                                                                                                              • 73EB6180.GDI32(0041A954,?,00000001,00000001,00000000,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA80
                                                                                                              • 73EB4C00.GDI32(?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA90
                                                                                                              • SelectObject.GDI32(0041CE4C,00000000), ref: 0041CAAB
                                                                                                              • FillRect.USER32(0041CE4C,?,?), ref: 0041CAE6
                                                                                                              • SetTextColor.GDI32(0041CE4C,00000000), ref: 0041CAFB
                                                                                                              • SetBkColor.GDI32(0041CE4C,00000000), ref: 0041CB12
                                                                                                              • PatBlt.GDI32(0041CE4C,00000000,00000000,0041A954,?,00FF0062), ref: 0041CB28
                                                                                                              • 73EB4C40.GDI32(?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954), ref: 0041CB3B
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041CB6C
                                                                                                              • 73EA8830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954), ref: 0041CB84
                                                                                                              • 73EA22A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?), ref: 0041CB8D
                                                                                                              • 73EA8830.GDI32(0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CB9C
                                                                                                              • 73EA22A0.GDI32(0041CE4C,0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CBA5
                                                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041CBBE
                                                                                                              • SetBkColor.GDI32(00000000,00000000), ref: 0041CBD5
                                                                                                              • 73EB4D40.GDI32(0041CE4C,00000000,00000000,0041A954,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CC1A,?,?,00000000), ref: 0041CBF1
                                                                                                              • SelectObject.GDI32(00000000,?), ref: 0041CBFE
                                                                                                              • DeleteDC.GDI32(00000000), ref: 0041CC14
                                                                                                                • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Color$ObjectSelect$A8830Text$A570B6180DeleteFillRect
                                                                                                              • String ID:
                                                                                                              • API String ID: 1816967894-0
                                                                                                              • Opcode ID: adf6567a18e9830f1830aa63917bca934ba6755201e08534c76e5c919bac5cde
                                                                                                              • Instruction ID: 69ed6b4e4825e3c47d53d1ee88e95f0281db4649dcd7e45998b3becab3701dfd
                                                                                                              • Opcode Fuzzy Hash: adf6567a18e9830f1830aa63917bca934ba6755201e08534c76e5c919bac5cde
                                                                                                              • Instruction Fuzzy Hash: 6261EC71A44609AFDF10EBE9DC86F9FB7B8EF48704F14446AB504E7281D67CA9408B68
                                                                                                              Function 00497DA0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ShowWindow.USER32(?,00000005,00000000,00498138,?,?,00000000,?,00000000,00000000,?,004984EF,00000000,004984F9,?,00000000), ref: 00497E23
                                                                                                              • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498138,?,?,00000000,?,00000000,00000000,?,004984EF,00000000), ref: 00497E36
                                                                                                              • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498138,?,?,00000000,?,00000000,00000000), ref: 00497E46
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00497E67
                                                                                                              • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498138,?,?,00000000,?,00000000), ref: 00497E77
                                                                                                                • Part of subcall function 0042D45C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4EA,?,?,?,00000001,?,0045606A,00000000,004560D2), ref: 0042D491
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                                              • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                                              • API String ID: 2000705611-3672972446
                                                                                                              • Opcode ID: 082597774f549eda738f03d74d98f9d52f67cfbc56a945ed8bd031ee0c63b3f6
                                                                                                              • Instruction ID: d71e95358f961f9c8085103628ed7ebfe7aaf39cab9d6a0a027eda6f41515cae
                                                                                                              • Opcode Fuzzy Hash: 082597774f549eda738f03d74d98f9d52f67cfbc56a945ed8bd031ee0c63b3f6
                                                                                                              • Instruction Fuzzy Hash: C291B530A042449FDF11EBA9DC52BAE7FA4EF4A304F51447BF500AB292DA7DAC05CB59
                                                                                                              Function 0045AA3C Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,0045ACF8,?,?,?,?,?,00000006,?,00000000,0049722D,?,00000000,004972D0), ref: 0045ABAA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                                              • API String ID: 1452528299-3112430753
                                                                                                              • Opcode ID: c66920e5c30c99cf277918279cba3cc6becf5feca79c3c8df3d973bfdf2d3f66
                                                                                                              • Instruction ID: f5e388fb48f96f1c0466849e1c52bdf0d536658550fb6e74c3a20cf80cd44526
                                                                                                              • Opcode Fuzzy Hash: c66920e5c30c99cf277918279cba3cc6becf5feca79c3c8df3d973bfdf2d3f66
                                                                                                              • Instruction Fuzzy Hash: 2271AE707002445BDB01EB69D8427AE77A6AF48316F50856BFC01DB383CA7C9A5DC79A
                                                                                                              Function 0045CF24 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetVersion.KERNEL32 ref: 0045CF3E
                                                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CF5E
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CF6B
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CF78
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CF86
                                                                                                                • Part of subcall function 0045CE2C: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CECB,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CEA5
                                                                                                              • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D179,?,?,00000000), ref: 0045D03F
                                                                                                              • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D179,?,?,00000000), ref: 0045D048
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                                              • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                                              • API String ID: 59345061-4263478283
                                                                                                              • Opcode ID: 0692e2fed8a1faf7364eaae3f9f0a99faa4aa2306d0b5476e4b0968c8b8ae958
                                                                                                              • Instruction ID: 4ce31bb81caf279f5ed3d10c62bb09a2aad5f6c7ba3f26a8019cd68bbbdcec0a
                                                                                                              • Opcode Fuzzy Hash: 0692e2fed8a1faf7364eaae3f9f0a99faa4aa2306d0b5476e4b0968c8b8ae958
                                                                                                              • Instruction Fuzzy Hash: E95193B1D00608EFDB10DFA9C845BAEBBB8EF48315F14806AF915B7381C2389945CF69
                                                                                                              Function 00456550 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 282comCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,0045688D), ref: 00456592
                                                                                                              • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,0045688D), ref: 004565B8
                                                                                                              • SysFreeString.OLEAUT32(?), ref: 00456745
                                                                                                              Strings
                                                                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004566DB
                                                                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 0045677C
                                                                                                              • IPersistFile::Save, xrefs: 00456814
                                                                                                              • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004566A7
                                                                                                              • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 004567B6
                                                                                                              • IPropertyStore::Commit, xrefs: 00456795
                                                                                                              • CoCreateInstance, xrefs: 004565C3
                                                                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 0045672A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateInstance$FreeString
                                                                                                              • String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)
                                                                                                              • API String ID: 308859552-3936712486
                                                                                                              • Opcode ID: 7d0cfd58331e70c95d7e52b395728c42337191576a3ec6130da080a3535e9fef
                                                                                                              • Instruction ID: c99fdec92309fd26656a6f7ea9bd91ecf5cc306c054acb75a5569a06f28a4b2e
                                                                                                              • Opcode Fuzzy Hash: 7d0cfd58331e70c95d7e52b395728c42337191576a3ec6130da080a3535e9fef
                                                                                                              • Instruction Fuzzy Hash: 29A13E71A00104AFDB50EFA9C885B9E7BF8EF09706F55406AF804E7252DB38DD48CB69
                                                                                                              Function 0041B3BC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • 73EB4C40.GDI32(00000000,?,00000000,?), ref: 0041B3D3
                                                                                                              • 73EB4C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B3DD
                                                                                                              • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3EF
                                                                                                              • 73EB6180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B406
                                                                                                              • 73EAA570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B412
                                                                                                              • 73EB4C00.GDI32(00000000,0000000B,?,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B43F
                                                                                                              • 73EAA480.USER32(00000000,00000000,0041B472,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B465
                                                                                                              • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                                                              • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                                                              • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                                                              • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Object$Select$Delete$A480A570B6180Stretch
                                                                                                              • String ID:
                                                                                                              • API String ID: 118165962-0
                                                                                                              • Opcode ID: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
                                                                                                              • Instruction ID: 9e854467c286a28b18f31183f63f6c048648830cb6dea2264be82148a8da808a
                                                                                                              • Opcode Fuzzy Hash: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
                                                                                                              • Instruction Fuzzy Hash: DC419D71E40619AFDF10EAE9D846FAFB7B8EF08704F104466B614FB281D67969408BA4
                                                                                                              Function 00472DB8 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 337COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838
                                                                                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472F70
                                                                                                              • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00473077
                                                                                                              • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 0047308D
                                                                                                              • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 004730B2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                                              • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                                              • API String ID: 971782779-3668018701
                                                                                                              • Opcode ID: 0d90696b7f394c24cdb4db4d6ef42549a737ff1f83f29ed15b4b10dbb48a3fc8
                                                                                                              • Instruction ID: 1ded2309c22d90a9957aabde76cedeacc99048359e90752decbb9b8a0015ab1b
                                                                                                              • Opcode Fuzzy Hash: 0d90696b7f394c24cdb4db4d6ef42549a737ff1f83f29ed15b4b10dbb48a3fc8
                                                                                                              • Instruction Fuzzy Hash: 8FD12574A00149AFDB01EFA9D581BDDBBF5AF08305F50806AF804B7392D778AE45CB69
                                                                                                              Function 00454860 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegQueryValueExA.ADVAPI32(0045AECE,00000000,00000000,?,00000000,?,00000000,00454AF9,?,0045AECE,00000003,00000000,00000000,00454B30), ref: 00454979
                                                                                                                • Part of subcall function 0042E8D8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045325F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7
                                                                                                              • RegQueryValueExA.ADVAPI32(0045AECE,00000000,00000000,00000000,?,00000004,00000000,00454A43,?,0045AECE,00000000,00000000,?,00000000,?,00000000), ref: 004549FD
                                                                                                              • RegQueryValueExA.ADVAPI32(0045AECE,00000000,00000000,00000000,?,00000004,00000000,00454A43,?,0045AECE,00000000,00000000,?,00000000,?,00000000), ref: 00454A2C
                                                                                                              Strings
                                                                                                              • RegOpenKeyEx, xrefs: 004548FC
                                                                                                              • , xrefs: 004548EA
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548D0
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454897
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: QueryValue$FormatMessageOpen
                                                                                                              • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                              • API String ID: 2812809588-1577016196
                                                                                                              • Opcode ID: 77e820d85456ec5b21a3348e7c864f635890ca9680278173730b6b5baa6068b5
                                                                                                              • Instruction ID: 44bd6ba1492406805f437c97fe518088f2f8e7c1bef0b67c8a01139b77ca8c69
                                                                                                              • Opcode Fuzzy Hash: 77e820d85456ec5b21a3348e7c864f635890ca9680278173730b6b5baa6068b5
                                                                                                              • Instruction Fuzzy Hash: C0911471944248ABDB10DFE5D942BDEB7FCEB48309F50406BF900FB282D6789E458B69
                                                                                                              Function 004597BC Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004596C8: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459805,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459715
                                                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459863
                                                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004599BD,?,00000000,00000000,00000000), ref: 004598CD
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459934
                                                                                                              Strings
                                                                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 004598E7
                                                                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00459816
                                                                                                              • v1.1.4322, xrefs: 00459926
                                                                                                              • .NET Framework version %s not found, xrefs: 0045996D
                                                                                                              • .NET Framework not found, xrefs: 00459981
                                                                                                              • v4.0.30319, xrefs: 00459855
                                                                                                              • v2.0.50727, xrefs: 004598BF
                                                                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00459880
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close$Open
                                                                                                              • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                                              • API String ID: 2976201327-446240816
                                                                                                              • Opcode ID: a27e16b2435ffffe3ed3affd436a97f5188f93bd827438211cc6c054a476643b
                                                                                                              • Instruction ID: 729b419896cd5506e065475e0ee5015c208a67e93f4f54458093df2d8724af3d
                                                                                                              • Opcode Fuzzy Hash: a27e16b2435ffffe3ed3affd436a97f5188f93bd827438211cc6c054a476643b
                                                                                                              • Instruction Fuzzy Hash: 0051A030A04145EBCB04DFA9C8A1BEE77B69B59305F54447FA841DB393D63D9E0E8B18
                                                                                                              Function 00458DA8 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00458DDF
                                                                                                              • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458DFB
                                                                                                              • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458E09
                                                                                                              • GetExitCodeProcess.KERNEL32(?), ref: 00458E1A
                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458E61
                                                                                                              • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458E7D
                                                                                                              Strings
                                                                                                              • Stopping 64-bit helper process. (PID: %u), xrefs: 00458DD1
                                                                                                              • Helper isn't responding; killing it., xrefs: 00458DEB
                                                                                                              • Helper process exited., xrefs: 00458E29
                                                                                                              • Helper process exited, but failed to get exit code., xrefs: 00458E53
                                                                                                              • Helper process exited with failure code: 0x%x, xrefs: 00458E47
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                                              • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                                              • API String ID: 3355656108-1243109208
                                                                                                              • Opcode ID: e1e6f1a428ddc606cbac7e5be58ccbeaead76fc5c320782193580adc03ed748c
                                                                                                              • Instruction ID: b06cb4cb11178ece3cea1db1bc2ca69ea432733d5239d7d0987fb8f0d427a68f
                                                                                                              • Opcode Fuzzy Hash: e1e6f1a428ddc606cbac7e5be58ccbeaead76fc5c320782193580adc03ed748c
                                                                                                              • Instruction Fuzzy Hash: D9216D706047009AD720E679C44275BB6E59F08709F04CC2FB999EB293DF78E8488B2A
                                                                                                              Function 00454514 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DDF4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE20
                                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546EB,?,00000000,004547AF), ref: 0045463B
                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546EB,?,00000000,004547AF), ref: 00454777
                                                                                                                • Part of subcall function 0042E8D8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045325F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7
                                                                                                              Strings
                                                                                                              • , xrefs: 0045459D
                                                                                                              • RegCreateKeyEx, xrefs: 004545AF
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454583
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454553
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateFormatMessageQueryValue
                                                                                                              • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                              • API String ID: 2481121983-1280779767
                                                                                                              • Opcode ID: a579990beb4c9b51ec5b3fea0749880c5f06a70a884d2fa71269d98e88c3cf61
                                                                                                              • Instruction ID: a200d9e45076b9aa1c9026ee470310bfc0f5ccdb1a8093a9a555fb12639cba12
                                                                                                              • Opcode Fuzzy Hash: a579990beb4c9b51ec5b3fea0749880c5f06a70a884d2fa71269d98e88c3cf61
                                                                                                              • Instruction Fuzzy Hash: 6C81DE75A00209AFDB00DFD5C941BDFB7F9EB49309F50442AE901FB282D7789A45CB69
                                                                                                              Function 00496620 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004538A8: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 00453997
                                                                                                                • Part of subcall function 004538A8: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 004539A7
                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0049669D
                                                                                                              • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,004967F1), ref: 004966BE
                                                                                                              • CreateWindowExA.USER32(00000000,STATIC,00496800,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 004966E5
                                                                                                              • SetWindowLongA.USER32(?,000000FC,00495E78), ref: 004966F8
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004967C4,?,?,000000FC,00495E78,00000000,STATIC,00496800), ref: 00496728
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 0049679C
                                                                                                              • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004967C4,?,?,000000FC,00495E78,00000000), ref: 004967A8
                                                                                                                • Part of subcall function 00453D1C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E03
                                                                                                              • 73EB5CF0.USER32(?,004967CB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004967C4,?,?,000000FC,00495E78,00000000,STATIC), ref: 004967BE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                                              • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                                              • API String ID: 170458502-2312673372
                                                                                                              • Opcode ID: c09fb920bc7669bd65d78bc4791726942d010f86c1ff051557e4c77676e60077
                                                                                                              • Instruction ID: 3fac7199250898b77632ea887e905273a0ca2a52c1bf25bf17bddf130f7f486a
                                                                                                              • Opcode Fuzzy Hash: c09fb920bc7669bd65d78bc4791726942d010f86c1ff051557e4c77676e60077
                                                                                                              • Instruction Fuzzy Hash: EE413D70A44208AFDF01EFA5DC42F9E7BB8EB09714F61457AF500F7291D6799E008BA8
                                                                                                              Function 0042E428 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E52D,?,00000000,0047E1E8,00000000), ref: 0042E451
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E457
                                                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E52D,?,00000000,0047E1E8,00000000), ref: 0042E4A5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressCloseHandleModuleProc
                                                                                                              • String ID: .DEFAULT\Control Panel\International$=aE$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                                              • API String ID: 4190037839-1003587384
                                                                                                              • Opcode ID: 71ec1778410e517379c49e62a4abf791b893e005234a700e60dfa1d7d317b6f8
                                                                                                              • Instruction ID: 6214d84d9e891aa165dd1588e79579c1e4a82babed7fc21810c195be89e1891e
                                                                                                              • Opcode Fuzzy Hash: 71ec1778410e517379c49e62a4abf791b893e005234a700e60dfa1d7d317b6f8
                                                                                                              • Instruction Fuzzy Hash: 65215230B10219ABCB10EAE7DC45A9E77A8EB04318FA04877A500E7281EB7CDE41CA5C
                                                                                                              Function 00462D5C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetActiveWindow.USER32 ref: 00462D68
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462D7C
                                                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462D89
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462D96
                                                                                                              • GetWindowRect.USER32(?,00000000), ref: 00462DE2
                                                                                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462E20
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                              • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                              • API String ID: 2610873146-3407710046
                                                                                                              • Opcode ID: 07f038a1b45edca227de97dbc4e3a49cc5475e4390ab333f174a5f731d21d9c4
                                                                                                              • Instruction ID: 308e9426e96dcd15a0811dc773674cbbce9379ede84ac64ebea6e7762974983c
                                                                                                              • Opcode Fuzzy Hash: 07f038a1b45edca227de97dbc4e3a49cc5475e4390ab333f174a5f731d21d9c4
                                                                                                              • Instruction Fuzzy Hash: 8421A775701B046FD3019A64DD41F3B3395DB94714F08453AF944EB381E6B9EC018A9A
                                                                                                              Function 0042F198 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetActiveWindow.USER32 ref: 0042F1A4
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1B8
                                                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1C5
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1D2
                                                                                                              • GetWindowRect.USER32(?,00000000), ref: 0042F21E
                                                                                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F25C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                              • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                              • API String ID: 2610873146-3407710046
                                                                                                              • Opcode ID: fc179306045cef01cc7feea5ef12c7621bc9e212612d9656ab7fba5f67810d88
                                                                                                              • Instruction ID: f96f766bc13e38d455a6b30724ea53c80225cfaaeacd9570d6dca051b777ffc7
                                                                                                              • Opcode Fuzzy Hash: fc179306045cef01cc7feea5ef12c7621bc9e212612d9656ab7fba5f67810d88
                                                                                                              • Instruction Fuzzy Hash: 3221D7797057149BD300D664ED81F3B33A4DB85B14F88457AF944DB381D679EC044BA9
                                                                                                              Function 00458F80 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045915F,?,00000000,004591C2,?,?,02133858,00000000), ref: 00458FDD
                                                                                                              • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02133858,?,00000000,004590F4,?,00000000,00000001,00000000,00000000,00000000,0045915F), ref: 0045903A
                                                                                                              • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02133858,?,00000000,004590F4,?,00000000,00000001,00000000,00000000,00000000,0045915F), ref: 00459047
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00459093
                                                                                                              • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,004590CD,?,-00000020,0000000C,-00004034,00000014,02133858,?,00000000,004590F4,?,00000000), ref: 004590B9
                                                                                                              • GetLastError.KERNEL32(?,?,00000000,00000001,004590CD,?,-00000020,0000000C,-00004034,00000014,02133858,?,00000000,004590F4,?,00000000), ref: 004590C0
                                                                                                                • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                                              • String ID: CreateEvent$TransactNamedPipe
                                                                                                              • API String ID: 2182916169-3012584893
                                                                                                              • Opcode ID: 1e3f92d8c22a05294e06b5c780760953f793dd62cf34ae2b617d69319ed8131f
                                                                                                              • Instruction ID: 50fb7c1009465aa7c5405e125e9101384e11cc4d6b330c20a7fc1de2f8ccdd80
                                                                                                              • Opcode Fuzzy Hash: 1e3f92d8c22a05294e06b5c780760953f793dd62cf34ae2b617d69319ed8131f
                                                                                                              • Instruction Fuzzy Hash: 68417F71A00608EFDB15DF99C985F9EB7F9EB08714F1044AAF904E72D2C6789E44CB28
                                                                                                              Function 00456B58 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456CBD,?,?,00000031,?), ref: 00456B80
                                                                                                              • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456B86
                                                                                                              • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456BD3
                                                                                                                • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                                              • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                                              • API String ID: 1914119943-2711329623
                                                                                                              • Opcode ID: 1f12b3bfc7457beb1676229d9a9ac5705a2be6c49cf36285249ab65db7443b7f
                                                                                                              • Instruction ID: a27b950e9f8baa5d3fd7d83d3f5f0f06fd95d714c0010da27a3b0cf72a10e13f
                                                                                                              • Opcode Fuzzy Hash: 1f12b3bfc7457beb1676229d9a9ac5705a2be6c49cf36285249ab65db7443b7f
                                                                                                              • Instruction Fuzzy Hash: AB319471B00604AFDB12EFAACC41D5BB7BDEB897557528466FC04D7252DA38DD04CB28
                                                                                                              Function 00401A90 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                                                              • LocalFree.KERNEL32(006B2460,00000000,00401B68), ref: 00401ACF
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,006B2460,00000000,00401B68), ref: 00401AEE
                                                                                                              • LocalFree.KERNEL32(006B3460,?,00000000,00008000,006B2460,00000000,00401B68), ref: 00401B2D
                                                                                                              • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                                                              • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                              • String ID: 4:k$`$k$`4k
                                                                                                              • API String ID: 3782394904-3494583713
                                                                                                              • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                                              • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                                                              • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                                              • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                                                              Function 00416D90 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RectVisible.GDI32(?,?), ref: 00416E23
                                                                                                              • SaveDC.GDI32(?), ref: 00416E37
                                                                                                              • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E5A
                                                                                                              • RestoreDC.GDI32(?,?), ref: 00416E75
                                                                                                              • CreateSolidBrush.GDI32(00000000), ref: 00416EF5
                                                                                                              • FrameRect.USER32(?,?,?), ref: 00416F28
                                                                                                              • DeleteObject.GDI32(?), ref: 00416F32
                                                                                                              • CreateSolidBrush.GDI32(00000000), ref: 00416F42
                                                                                                              • FrameRect.USER32(?,?,?), ref: 00416F75
                                                                                                              • DeleteObject.GDI32(?), ref: 00416F7F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                                              • String ID:
                                                                                                              • API String ID: 375863564-0
                                                                                                              • Opcode ID: e9e72d8966bdaf80817d84d11445bcfe7b70581a29c6dab9ad28bd9778771da1
                                                                                                              • Instruction ID: 305d9ddf0f7240c011be45b7bb8b7ddc49b42f68556790db257713301bb8c367
                                                                                                              • Opcode Fuzzy Hash: e9e72d8966bdaf80817d84d11445bcfe7b70581a29c6dab9ad28bd9778771da1
                                                                                                              • Instruction Fuzzy Hash: FC514C712086445FDB54EF69C8C0B9777E8AF48314F15466AFD488B287C738EC85CB99
                                                                                                              Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                                              • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                                              • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                              • String ID:
                                                                                                              • API String ID: 1694776339-0
                                                                                                              • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                              • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                                              • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                              • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                                              Function 004221F8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemMenu.USER32(00000000,00000000), ref: 00422243
                                                                                                              • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422261
                                                                                                              • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226E
                                                                                                              • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042227B
                                                                                                              • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422288
                                                                                                              • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422295
                                                                                                              • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004222A2
                                                                                                              • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004222AF
                                                                                                              • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222CD
                                                                                                              • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222E9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$Delete$EnableItem$System
                                                                                                              • String ID:
                                                                                                              • API String ID: 3985193851-0
                                                                                                              • Opcode ID: 510ebc35eb44907ae1e975f945bfd8864758d272309f2385250dfef8029dc5ab
                                                                                                              • Instruction ID: b791af981bedf3385b2dd143af085cc0c004e448fbd85fce69a0ff0a91ac5271
                                                                                                              • Opcode Fuzzy Hash: 510ebc35eb44907ae1e975f945bfd8864758d272309f2385250dfef8029dc5ab
                                                                                                              • Instruction Fuzzy Hash: 35213370340744BAE720D725DD8BF9B7BD89B04718F4440A5BA487F2D7C7F9AA80869C
                                                                                                              Function 004812DC Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FreeLibrary.KERNEL32(10000000), ref: 00481499
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 004814AD
                                                                                                              • SendNotifyMessageA.USER32(000103E8,00000496,00002710,00000000), ref: 0048151F
                                                                                                              Strings
                                                                                                              • Not restarting Windows because Setup is being run from the debugger., xrefs: 004814CE
                                                                                                              • GetCustomSetupExitCode, xrefs: 00481339
                                                                                                              • Restarting Windows., xrefs: 004814FA
                                                                                                              • DeinitializeSetup, xrefs: 00481395
                                                                                                              • Deinitializing Setup., xrefs: 004812FA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeLibrary$MessageNotifySend
                                                                                                              • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                                              • API String ID: 3817813901-1884538726
                                                                                                              • Opcode ID: cfffdee43b38d7813a81b11c3b84a740b2c32b2c8dbaa0def3367d9992a49e61
                                                                                                              • Instruction ID: fb8259b883485ef9100c7f5c1e95e74d54582b152ce66d5af1bc00326fba4159
                                                                                                              • Opcode Fuzzy Hash: cfffdee43b38d7813a81b11c3b84a740b2c32b2c8dbaa0def3367d9992a49e61
                                                                                                              • Instruction Fuzzy Hash: 4451A034704240AFD711EB69D895B2E7BE9FB59704F50887BE801C72B1DB38A846CB5D
                                                                                                              Function 004619F8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SHGetMalloc.SHELL32(?), ref: 00461A33
                                                                                                              • GetActiveWindow.USER32 ref: 00461A97
                                                                                                              • CoInitialize.OLE32(00000000), ref: 00461AAB
                                                                                                              • SHBrowseForFolder.SHELL32(?), ref: 00461AC2
                                                                                                              • CoUninitialize.OLE32(00461B03,00000000,?,?,?,?,?,00000000,00461B87), ref: 00461AD7
                                                                                                              • SetActiveWindow.USER32(?,00461B03,00000000,?,?,?,?,?,00000000,00461B87), ref: 00461AED
                                                                                                              • SetActiveWindow.USER32(?,?,00461B03,00000000,?,?,?,?,?,00000000,00461B87), ref: 00461AF6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                                              • String ID: A
                                                                                                              • API String ID: 2684663990-3554254475
                                                                                                              • Opcode ID: 6bf2c69099c90f86a267e24c634b690acb1506b8ce1301c413aa044d63ad6a36
                                                                                                              • Instruction ID: 1302daae15839a874164301860301a8b98b45f7dd6f96d3c0913b4bd506695dd
                                                                                                              • Opcode Fuzzy Hash: 6bf2c69099c90f86a267e24c634b690acb1506b8ce1301c413aa044d63ad6a36
                                                                                                              • Instruction Fuzzy Hash: 64314FB0E00248AFDB00EFE6D885A9EBBF8EB09304F51447AF404E7251E7785A44CF59
                                                                                                              Function 00472C68 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,00472D29,?,?,?,00000008,00000000,00000000,00000000,?,00472F85,?,?,00000000,004731F4), ref: 00472C8C
                                                                                                                • Part of subcall function 0042CDA4: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE1A
                                                                                                                • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049B628,004980C1,00000000,00498116,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                                              • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472D29,?,?,?,00000008,00000000,00000000,00000000,?,00472F85), ref: 00472D03
                                                                                                              • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472D29,?,?,?,00000008,00000000,00000000,00000000), ref: 00472D09
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                                              • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                                              • API String ID: 884541143-1710247218
                                                                                                              • Opcode ID: e52ff7fc8aad4532f2121d8bd5e8e7392c558ff45c5d59df65582d72ab666be0
                                                                                                              • Instruction ID: a2498b92200520dbea2b626460b71344a260e4c3afc9e0684e621ff8b49742b9
                                                                                                              • Opcode Fuzzy Hash: e52ff7fc8aad4532f2121d8bd5e8e7392c558ff45c5d59df65582d72ab666be0
                                                                                                              • Instruction Fuzzy Hash: 731122303005087BD721EA66DD82B9E73ACCB88714F60853BB404B72D1CB7CEE02865C
                                                                                                              Function 0045D618 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D621
                                                                                                              • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D631
                                                                                                              • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D641
                                                                                                              • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D651
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc
                                                                                                              • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                                              • API String ID: 190572456-3516654456
                                                                                                              • Opcode ID: fd665f86a4c397101f291ae51b8d6e2550680f8309e6d6ef8ebab45c29bb7339
                                                                                                              • Instruction ID: 6d5035e3426567f523c7c0f539c0fc89aa7e9857b83a97dd2a4ec5b9764e3533
                                                                                                              • Opcode Fuzzy Hash: fd665f86a4c397101f291ae51b8d6e2550680f8309e6d6ef8ebab45c29bb7339
                                                                                                              • Instruction Fuzzy Hash: 0D01ECB0900740DEEB24DFB6ACC572236A5ABA470AF14C13B980DD62A2D779044ADF2C
                                                                                                              Function 0041A8EC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041A9C9
                                                                                                              • 73EB4D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041AA03
                                                                                                              • SetBkColor.GDI32(?,?), ref: 0041AA18
                                                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA62
                                                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041AA6D
                                                                                                              • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA7D
                                                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AABC
                                                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041AAC6
                                                                                                              • SetBkColor.GDI32(00000000,?), ref: 0041AAD3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Color$StretchText
                                                                                                              • String ID:
                                                                                                              • API String ID: 2984075790-0
                                                                                                              • Opcode ID: 318b750f44eee03e3b20258c50c4ae641761c2031fb7fe23ccccef054dc028d8
                                                                                                              • Instruction ID: 0e7efefeb240adcf91359f1fba61dc18d1efd34d50a4dd97ee32c9a960060edb
                                                                                                              • Opcode Fuzzy Hash: 318b750f44eee03e3b20258c50c4ae641761c2031fb7fe23ccccef054dc028d8
                                                                                                              • Instruction Fuzzy Hash: 9861C5B5A00105EFCB40EFADD985E9AB7F8AF08314B10856AF918DB261C735ED41CF68
                                                                                                              Function 00457F00 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                                              • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,004580B4,?, /s ",?,regsvr32.exe",?,004580B4), ref: 00458026
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseDirectoryHandleSystem
                                                                                                              • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                                              • API String ID: 2051275411-1862435767
                                                                                                              • Opcode ID: 55f146e1ef8f4e902545c9b8fd40e77843967da88cee367bff3e11b3e7507cae
                                                                                                              • Instruction ID: 809e342f07c36c5fe80e3456e65159aecd70c9e1b429d99a18f855550af0e9f5
                                                                                                              • Opcode Fuzzy Hash: 55f146e1ef8f4e902545c9b8fd40e77843967da88cee367bff3e11b3e7507cae
                                                                                                              • Instruction Fuzzy Hash: 97411570A043086BDB10EFD5D842B8EF7B9AB49705F51407FA904BB292DF789A0D8B19
                                                                                                              Function 0044D188 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1B9
                                                                                                              • GetSysColor.USER32(00000014), ref: 0044D1C0
                                                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044D1D8
                                                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D201
                                                                                                              • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D20B
                                                                                                              • GetSysColor.USER32(00000010), ref: 0044D212
                                                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044D22A
                                                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D253
                                                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D27E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Text$Color$Draw$OffsetRect
                                                                                                              • String ID:
                                                                                                              • API String ID: 1005981011-0
                                                                                                              • Opcode ID: 0dad7e536888b1c395f42d34690ba7b0fa2f949a96348ff67bbd6a991a2663e5
                                                                                                              • Instruction ID: 3cb6cff9cb4fe1f97db5fca9cf7ecf77bacdc285bba155e9e6a5fbb2dce94e66
                                                                                                              • Opcode Fuzzy Hash: 0dad7e536888b1c395f42d34690ba7b0fa2f949a96348ff67bbd6a991a2663e5
                                                                                                              • Instruction Fuzzy Hash: 4921CFB42015007FC710FB6ACD8AE8B7BDCDF19319B01857AB918EB393C678DD408669
                                                                                                              Function 0041B67C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFocus.USER32 ref: 0041B755
                                                                                                              • 73EAA570.USER32(?), ref: 0041B761
                                                                                                              • 73EA8830.GDI32(00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B796
                                                                                                              • 73EA22A0.GDI32(00000000,00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B7A2
                                                                                                              • 73EB6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B7D0
                                                                                                              • 73EA8830.GDI32(00000000,00000000,00000000,0041B811,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B804
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: A8830$A570B6310Focus
                                                                                                              • String ID: k H
                                                                                                              • API String ID: 3003132339-1447039187
                                                                                                              • Opcode ID: 4650e7e3a4975632b128e642f4d75ab8ab1f3030e92489ac81d42ae66184f42b
                                                                                                              • Instruction ID: e4fa2330707e2e3496a7563b6e1a8945dd65194040c1b513b55e56702052f46b
                                                                                                              • Opcode Fuzzy Hash: 4650e7e3a4975632b128e642f4d75ab8ab1f3030e92489ac81d42ae66184f42b
                                                                                                              • Instruction Fuzzy Hash: 33512D74A00208AFCB11DFA9C855AEEBBF9FF49704F104466F504A7390D7789981CBA9
                                                                                                              Function 0041B94C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFocus.USER32 ref: 0041BA27
                                                                                                              • 73EAA570.USER32(?), ref: 0041BA33
                                                                                                              • 73EA8830.GDI32(00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA6D
                                                                                                              • 73EA22A0.GDI32(00000000,00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA79
                                                                                                              • 73EB6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BA9D
                                                                                                              • 73EA8830.GDI32(00000000,00000000,00000000,0041BADE,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BAD1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: A8830$A570B6310Focus
                                                                                                              • String ID: k H
                                                                                                              • API String ID: 3003132339-1447039187
                                                                                                              • Opcode ID: 69b514878c6882b8832b1f329327574619d6a3e89a85ba6a4f0b9ad1becc3db2
                                                                                                              • Instruction ID: 8a06375b061ea5bfc02952791cdae78cf5b61e443f36c9dad2d84499db0416b2
                                                                                                              • Opcode Fuzzy Hash: 69b514878c6882b8832b1f329327574619d6a3e89a85ba6a4f0b9ad1becc3db2
                                                                                                              • Instruction Fuzzy Hash: FE510975A002189FCB11DFA9C891AAEBBF9FF49700F15806AF504EB751D7789D40CBA4
                                                                                                              Function 00495EC4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00450918: SetEndOfFile.KERNEL32(?,?,0045C6A6,00000000,0045C831,?,00000000,00000002,00000002), ref: 0045091F
                                                                                                                • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049B628,004980C1,00000000,00498116,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 00495F55
                                                                                                              • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00495F69
                                                                                                              • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00495F83
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495F8F
                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495F95
                                                                                                              • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495FA8
                                                                                                              Strings
                                                                                                              • Deleting Uninstall data files., xrefs: 00495ECB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                                              • String ID: Deleting Uninstall data files.
                                                                                                              • API String ID: 1570157960-2568741658
                                                                                                              • Opcode ID: 23da1316c50969bb810f13416529c5ad46a4d90d4c3b6db3608d618ecf590902
                                                                                                              • Instruction ID: fec72cc46ef3efd5c3c8e8a450f489c3c08d507a48e2b84f6ee45df75d5b7e94
                                                                                                              • Opcode Fuzzy Hash: 23da1316c50969bb810f13416529c5ad46a4d90d4c3b6db3608d618ecf590902
                                                                                                              • Instruction Fuzzy Hash: 34219571304610AFEB11EB75ECC2B2637A8EB54338F61053BF504DA1E6D678AC008B1D
                                                                                                              Function 004704A4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004705A1,?,?,?,?,00000000), ref: 0047050B
                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004705A1), ref: 00470522
                                                                                                              • AddFontResourceA.GDI32(00000000), ref: 0047053F
                                                                                                              • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00470553
                                                                                                              Strings
                                                                                                              • Failed to set value in Fonts registry key., xrefs: 00470514
                                                                                                              • Failed to open Fonts registry key., xrefs: 00470529
                                                                                                              • AddFontResource, xrefs: 0047055D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                                              • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                                              • API String ID: 955540645-649663873
                                                                                                              • Opcode ID: 2b4b64eddd1924655c58b9871aff7fb9a4f934a6e6bff31d8454543361526e14
                                                                                                              • Instruction ID: 66ce3b01f7eb708e2302e7809b1ea03697ff66c32de1c99646f3643d23023453
                                                                                                              • Opcode Fuzzy Hash: 2b4b64eddd1924655c58b9871aff7fb9a4f934a6e6bff31d8454543361526e14
                                                                                                              • Instruction Fuzzy Hash: 62216570741204BBDB10EA669C42FAE779D9B55708F50843BB904EB3C2D67CDE028A5D
                                                                                                              Function 0046319C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00416420: GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                                                                • Part of subcall function 00416420: UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                                                                • Part of subcall function 00416420: RegisterClassA.USER32(?), ref: 004164DE
                                                                                                              • GetVersion.KERNEL32 ref: 004631CC
                                                                                                              • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 0046320A
                                                                                                              • SHGetFileInfo.SHELL32(004632A8,00000000,?,00000160,00004011), ref: 00463227
                                                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 00463245
                                                                                                              • SetCursor.USER32(00000000,00000000,00007F02,004632A8,00000000,?,00000160,00004011), ref: 0046324B
                                                                                                              • SetCursor.USER32(?,0046328B,00007F02,004632A8,00000000,?,00000160,00004011), ref: 0046327E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                                              • String ID: Explorer
                                                                                                              • API String ID: 2594429197-512347832
                                                                                                              • Opcode ID: e51ab44d2e52b3d60675834673e9b9904728f2271d1ef9b75da4c79774d1131e
                                                                                                              • Instruction ID: b0d998c5e58c3251a46d3edbb0a2afbc6be3b3781793d4cbec8386629f90fe5f
                                                                                                              • Opcode Fuzzy Hash: e51ab44d2e52b3d60675834673e9b9904728f2271d1ef9b75da4c79774d1131e
                                                                                                              • Instruction Fuzzy Hash: FA21E7307403446AEB10FF795C57F9A7698DB09709F5040BFF605EA1C3EA7C8908866D
                                                                                                              Function 0047828C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02132BD0,?,?,?,02132BD0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782A5
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004782AB
                                                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02132BD0,?,?,?,02132BD0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782BE
                                                                                                              • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02132BD0,?,?,?,02132BD0), ref: 004782E8
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,02132BD0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 00478306
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                                              • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                                              • API String ID: 2704155762-2318956294
                                                                                                              • Opcode ID: 626e47d356fab76083b756a204e0250164ee9b03011d355f3d3167744cb8654e
                                                                                                              • Instruction ID: d6ca79aa4c48c3adffb9da4b01ee7f27494699adf3768a2d59cb90ace03db172
                                                                                                              • Opcode Fuzzy Hash: 626e47d356fab76083b756a204e0250164ee9b03011d355f3d3167744cb8654e
                                                                                                              • Instruction Fuzzy Hash: 5701C4707C0B0466E520316E4D8AFEB554C8B54B69F54813F7E0CEA2C2DDAE8D06016E
                                                                                                              Function 0045A170 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,0045A2F2,?,00000000,00000000,00000000,?,00000006,?,00000000,0049722D,?,00000000,004972D0), ref: 0045A236
                                                                                                                • Part of subcall function 004543E0: FindClose.KERNEL32(000000FF,004544D6), ref: 004544C5
                                                                                                              Strings
                                                                                                              • Failed to delete directory (%d)., xrefs: 0045A2CC
                                                                                                              • Deleting directory: %s, xrefs: 0045A1BF
                                                                                                              • Stripped read-only attribute., xrefs: 0045A1F8
                                                                                                              • Failed to strip read-only attribute., xrefs: 0045A204
                                                                                                              • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0045A210
                                                                                                              • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0045A2AB
                                                                                                              • Failed to delete directory (%d). Will retry later., xrefs: 0045A24F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseErrorFindLast
                                                                                                              • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                                              • API String ID: 754982922-1448842058
                                                                                                              • Opcode ID: 3a6653ca049153ac913e3aecd6f83d976b01ed6d176f23095ac7eac981277501
                                                                                                              • Instruction ID: e72d66395cbcced70a1ff0d39e5b36b51bb4b2a363b16cebf3a96f2a9050ba33
                                                                                                              • Opcode Fuzzy Hash: 3a6653ca049153ac913e3aecd6f83d976b01ed6d176f23095ac7eac981277501
                                                                                                              • Instruction Fuzzy Hash: 9A41A730A042449ACB00DBA988463AE76A55F4930AF5486BBBC04D7393CB7D8E1D875F
                                                                                                              Function 00422E60 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCapture.USER32 ref: 00422EB4
                                                                                                              • GetCapture.USER32 ref: 00422EC3
                                                                                                              • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EC9
                                                                                                              • ReleaseCapture.USER32 ref: 00422ECE
                                                                                                              • GetActiveWindow.USER32 ref: 00422EDD
                                                                                                              • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F5C
                                                                                                              • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FC0
                                                                                                              • GetActiveWindow.USER32 ref: 00422FCF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                                              • String ID:
                                                                                                              • API String ID: 862346643-0
                                                                                                              • Opcode ID: f8c2677d6609ac077b52c6186ee7afb2eac2e0eedff02b6813b422cc668acf14
                                                                                                              • Instruction ID: 0c1e69f79f034fd7694da938dfb4ae80f60ee9794ae3f0b0e2c785ff7ec3c7d8
                                                                                                              • Opcode Fuzzy Hash: f8c2677d6609ac077b52c6186ee7afb2eac2e0eedff02b6813b422cc668acf14
                                                                                                              • Instruction Fuzzy Hash: E4413F70B00254AFDB10EB6ADA42B9A77F1EF44304F5540BAF500AB392DB78AE40DB5D
                                                                                                              Function 0042F2A0 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0042F2CA
                                                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0042F2E1
                                                                                                              • GetActiveWindow.USER32 ref: 0042F2EA
                                                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F317
                                                                                                              • SetActiveWindow.USER32(?,0042F447,00000000,?), ref: 0042F338
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ActiveLong$Message
                                                                                                              • String ID:
                                                                                                              • API String ID: 2785966331-0
                                                                                                              • Opcode ID: 511403c039d27e5fd3d4a37a0efbe646b1f0bba5a7b321b537e6f3b04ffedf77
                                                                                                              • Instruction ID: 0493a3c03df3966e51b4b777c60d25e7c68e0b9e8cdf2dbcd65ae894a3a71964
                                                                                                              • Opcode Fuzzy Hash: 511403c039d27e5fd3d4a37a0efbe646b1f0bba5a7b321b537e6f3b04ffedf77
                                                                                                              • Instruction Fuzzy Hash: 7631B471A00654AFDB01EFB5DC52E6EBBB8EB09714B91447AF804E3691D738AD10CB58
                                                                                                              Function 00429490 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • 73EAA570.USER32(00000000), ref: 0042949A
                                                                                                              • GetTextMetricsA.GDI32(00000000), ref: 004294A3
                                                                                                                • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 004294B2
                                                                                                              • GetTextMetricsA.GDI32(00000000,?), ref: 004294BF
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 004294C6
                                                                                                              • 73EAA480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004294CE
                                                                                                              • GetSystemMetrics.USER32(00000006), ref: 004294F3
                                                                                                              • GetSystemMetrics.USER32(00000006), ref: 0042950D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                                                                                              • String ID:
                                                                                                              • API String ID: 361401722-0
                                                                                                              • Opcode ID: ed5406780fbe6b6ddf9677d4a66f370c2a77f814a30f66ac1398573dbf155f17
                                                                                                              • Instruction ID: f9189b99ec718bdc55f682ba078bc6b9c4dab98ca430e676b6dc028aca6f8884
                                                                                                              • Opcode Fuzzy Hash: ed5406780fbe6b6ddf9677d4a66f370c2a77f814a30f66ac1398573dbf155f17
                                                                                                              • Instruction Fuzzy Hash: 3301E1917087513BFB11B67A9CC2F6B61C8CB8435CF44043FFA459A3D2D96C9C80866A
                                                                                                              Function 0041DE34 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • 73EAA570.USER32(00000000,?,00419069,004985AE), ref: 0041DE37
                                                                                                              • 73EB4620.GDI32(00000000,0000005A,00000000,?,00419069,004985AE), ref: 0041DE41
                                                                                                              • 73EAA480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419069,004985AE), ref: 0041DE4E
                                                                                                              • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE5D
                                                                                                              • GetStockObject.GDI32(00000007), ref: 0041DE6B
                                                                                                              • GetStockObject.GDI32(00000005), ref: 0041DE77
                                                                                                              • GetStockObject.GDI32(0000000D), ref: 0041DE83
                                                                                                              • LoadIconA.USER32(00000000,00007F00), ref: 0041DE94
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ObjectStock$A480A570B4620IconLoad
                                                                                                              • String ID:
                                                                                                              • API String ID: 4016658241-0
                                                                                                              • Opcode ID: c7b946ff5d18463f692f08f3109d9fac972284bfbf41894a6d0fe66ccf938658
                                                                                                              • Instruction ID: 4e0a0a69a1fbcc37fa68332f5170e2556ef2fd96a8c36c1a21edcb526b0e3b4b
                                                                                                              • Opcode Fuzzy Hash: c7b946ff5d18463f692f08f3109d9fac972284bfbf41894a6d0fe66ccf938658
                                                                                                              • Instruction Fuzzy Hash: E11100B06457015AE740FF666A92BA63694D724708F00813FF605AF3D2D7792C449B9E
                                                                                                              Function 004635AC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 004636B0
                                                                                                              • SetCursor.USER32(00000000,00000000,00007F02,00000000,00463745), ref: 004636B6
                                                                                                              • SetCursor.USER32(?,0046372D,00007F02,00000000,00463745), ref: 00463720
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Cursor$Load
                                                                                                              • String ID: $ $Internal error: Item already expanding
                                                                                                              • API String ID: 1675784387-1948079669
                                                                                                              • Opcode ID: 11d96d50149c7a0783bfaa5a1745a1d7ac95eac117891e2e72ad5ff3e9801c67
                                                                                                              • Instruction ID: 5f7148262a90782ca5f39c73a98182432cf514ee5891adbc4e31059349ad3c9c
                                                                                                              • Opcode Fuzzy Hash: 11d96d50149c7a0783bfaa5a1745a1d7ac95eac117891e2e72ad5ff3e9801c67
                                                                                                              • Instruction Fuzzy Hash: EEB19270600284DFD710DF29C585B9ABBF1AF04319F14C4AAE8459B792E778EE48CF5A
                                                                                                              Function 00453D1C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E03
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfileStringWrite
                                                                                                              • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                                              • API String ID: 390214022-3304407042
                                                                                                              • Opcode ID: 4808755b3c6221495a972d98e090ec94bd7c13575b017f43438820c08e4f7dc1
                                                                                                              • Instruction ID: f7f3e57e327ad0b7fc32dd9a0c0ef844c3cf52932767352b59a94e8a2e0b7a1e
                                                                                                              • Opcode Fuzzy Hash: 4808755b3c6221495a972d98e090ec94bd7c13575b017f43438820c08e4f7dc1
                                                                                                              • Instruction Fuzzy Hash: 0E910534E001099BDB01EFA5D842BDEB7F5EF4874AF50806AE90077292D7786E49CB59
                                                                                                              Function 00476B6C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476BC5
                                                                                                              • 73EB59E0.USER32(00000000,000000FC,00476B20,00000000,00476E04,?,00000000,00476E2E), ref: 00476BEC
                                                                                                              • GetACP.KERNEL32(00000000,00476E04,?,00000000,00476E2E), ref: 00476C29
                                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476C6F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClassInfoMessageSend
                                                                                                              • String ID: COMBOBOX$Inno Setup: Language
                                                                                                              • API String ID: 1455646776-4234151509
                                                                                                              • Opcode ID: 93cc19c1f2ae3cdeb94a735bb7db030fa770b3f4550c722f8e96ab60bc3149ff
                                                                                                              • Instruction ID: 76a62d5c2b18ddabed1a1f2db415f61daf58d6c828ad3828204ddc2489713d7e
                                                                                                              • Opcode Fuzzy Hash: 93cc19c1f2ae3cdeb94a735bb7db030fa770b3f4550c722f8e96ab60bc3149ff
                                                                                                              • Instruction Fuzzy Hash: 4E813C346006059FC720DF69C985AEAB7F2FB09304F1580BAE849E7762D738ED41CB59
                                                                                                              Function 00408728 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,00408970,?,?,?,?,00000000,00000000,00000000,?,00409977,00000000,0040998A), ref: 00408742
                                                                                                                • Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                                                • Part of subcall function 004085BC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087BE,?,?,?,00000000,00408970), ref: 004085CF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale$DefaultSystem
                                                                                                              • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                              • API String ID: 1044490935-665933166
                                                                                                              • Opcode ID: c01586f9bbb032a7f0f1a98200a37c80c0f70fbac98b28b944ff8a28395f8419
                                                                                                              • Instruction ID: bf07bec6589cb82417a29d9109d5e68838e6a5c97ac1b9e4b464d3d1e075229e
                                                                                                              • Opcode Fuzzy Hash: c01586f9bbb032a7f0f1a98200a37c80c0f70fbac98b28b944ff8a28395f8419
                                                                                                              • Instruction Fuzzy Hash: 55513E24B00108ABD701FBA69E41A9E77A9DB94304F50C07FA541BB3C7DA3DDE05975D
                                                                                                              Function 00411704 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetVersion.KERNEL32(00000000,00411909), ref: 0041179C
                                                                                                              • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041185A
                                                                                                                • Part of subcall function 00411ABC: CreatePopupMenu.USER32 ref: 00411AD6
                                                                                                              • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118E6
                                                                                                                • Part of subcall function 00411ABC: CreateMenu.USER32 ref: 00411AE0
                                                                                                              • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118CD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                                              • String ID: ,$?
                                                                                                              • API String ID: 2359071979-2308483597
                                                                                                              • Opcode ID: 0b2693d76eb6c03a37913dcbbd37782b63df6b44dbfb9d662716933429e9dd30
                                                                                                              • Instruction ID: df95c3f439c97799bb0998fa3429798e8a176efd4e8e18b788060c5868d8049e
                                                                                                              • Opcode Fuzzy Hash: 0b2693d76eb6c03a37913dcbbd37782b63df6b44dbfb9d662716933429e9dd30
                                                                                                              • Instruction Fuzzy Hash: BA51F674A00144ABDB10EF6ADC816DA7BF9AF09304B11857BF914E73A6E738DD41CB58
                                                                                                              Function 0041BE73 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetObjectA.GDI32(?,00000018,?), ref: 0041BF38
                                                                                                              • GetObjectA.GDI32(?,00000018,?), ref: 0041BF47
                                                                                                              • GetBitmapBits.GDI32(?,?,?), ref: 0041BF98
                                                                                                              • GetBitmapBits.GDI32(?,?,?), ref: 0041BFA6
                                                                                                              • DeleteObject.GDI32(?), ref: 0041BFAF
                                                                                                              • DeleteObject.GDI32(?), ref: 0041BFB8
                                                                                                              • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFD5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                                              • String ID:
                                                                                                              • API String ID: 1030595962-0
                                                                                                              • Opcode ID: 5d40efa9a489d930f0c3474e6c583d61de37ea4c8bf925e82c26674748b1ae5a
                                                                                                              • Instruction ID: 0934d86ca8fb123134a847d885dc0ae0ba41a9d0998c4bba382ea8cf266d8dc0
                                                                                                              • Opcode Fuzzy Hash: 5d40efa9a489d930f0c3474e6c583d61de37ea4c8bf925e82c26674748b1ae5a
                                                                                                              • Instruction Fuzzy Hash: 5A510571E00219AFCB14DFA9C8819EEBBF9EF48314B11442AF914E7391D738AD81CB64
                                                                                                              Function 0041CEE8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CF0E
                                                                                                              • 73EB4620.GDI32(00000000,00000026), ref: 0041CF2D
                                                                                                              • 73EA8830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF93
                                                                                                              • 73EA22A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CFA2
                                                                                                              • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D00C
                                                                                                              • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D04A
                                                                                                              • 73EA8830.GDI32(?,?,00000001,0041D07C,00000000,00000026), ref: 0041D06F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Stretch$A8830$B4620BitsMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 3862416161-0
                                                                                                              • Opcode ID: ba9b00c7f19e374317db92bbaed8cea8fa7d56fa7ee5636777b85d926aa1c199
                                                                                                              • Instruction ID: 415929d19c0355200a34ec50ec85ee50bdb26205500aadc12dd1df5ccaef5bc8
                                                                                                              • Opcode Fuzzy Hash: ba9b00c7f19e374317db92bbaed8cea8fa7d56fa7ee5636777b85d926aa1c199
                                                                                                              • Instruction Fuzzy Hash: 7A514EB0604200AFD714DFA9C995F9BBBF9EF08304F10859AB549DB292C779ED81CB58
                                                                                                              Function 00457114 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(00000000,?,?), ref: 00457166
                                                                                                                • Part of subcall function 0042428C: GetWindowTextA.USER32(?,?,00000100), ref: 004242AC
                                                                                                                • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                                                • Part of subcall function 0041EEB4: 73EB5940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042EEC0,?,00000001), ref: 0041EF09
                                                                                                                • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004571CD
                                                                                                              • TranslateMessage.USER32(?), ref: 004571EB
                                                                                                              • DispatchMessageA.USER32(?), ref: 004571F4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message$TextWindow$B5940CurrentDispatchSendThreadTranslate
                                                                                                              • String ID: [Paused]
                                                                                                              • API String ID: 3047618091-4230553315
                                                                                                              • Opcode ID: a723b0617cbdde8b0455b730e79db8c0792bcf361dff27c4d69091156c9f8888
                                                                                                              • Instruction ID: cc82e29175726c0716c689c1ffa83d11e9869aeff1ced20ba9c80888b84e3111
                                                                                                              • Opcode Fuzzy Hash: a723b0617cbdde8b0455b730e79db8c0792bcf361dff27c4d69091156c9f8888
                                                                                                              • Instruction Fuzzy Hash: 013196309082489EDB11DBB5EC81FDEBBB8DB49314F5540B7F800E7292D67C9909CB69
                                                                                                              Function 0046B758 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCursor.USER32(00000000,0046B897), ref: 0046B814
                                                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 0046B822
                                                                                                              • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B897), ref: 0046B828
                                                                                                              • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B897), ref: 0046B832
                                                                                                              • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B897), ref: 0046B838
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Cursor$LoadSleep
                                                                                                              • String ID: CheckPassword
                                                                                                              • API String ID: 4023313301-1302249611
                                                                                                              • Opcode ID: 653d9654f76fc9f2c348947714f395caa5fd1a5bea1654e8e7fe328d35dfe1b3
                                                                                                              • Instruction ID: aec6a0205c5a75bc54f0fc291e1a1f9730d999611bc1887dd1e74dc6007ab6bd
                                                                                                              • Opcode Fuzzy Hash: 653d9654f76fc9f2c348947714f395caa5fd1a5bea1654e8e7fe328d35dfe1b3
                                                                                                              • Instruction Fuzzy Hash: 333164346406049FD711EB69C889F9E7BE4EF49304F5580B6F844DB3A2D778AD40CB99
                                                                                                              Function 00477B88 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00477AB0: GetWindowThreadProcessId.USER32(00000000), ref: 00477AB8
                                                                                                                • Part of subcall function 00477AB0: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477BAF,0049C0A4,00000000), ref: 00477ACB
                                                                                                                • Part of subcall function 00477AB0: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477AD1
                                                                                                              • SendMessageA.USER32(00000000,0000004A,00000000,00477F42), ref: 00477BBD
                                                                                                              • GetTickCount.KERNEL32 ref: 00477C02
                                                                                                              • GetTickCount.KERNEL32 ref: 00477C0C
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477C61
                                                                                                              Strings
                                                                                                              • CallSpawnServer: Unexpected response: $%x, xrefs: 00477BF2
                                                                                                              • CallSpawnServer: Unexpected status: %d, xrefs: 00477C4A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                                              • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                                              • API String ID: 613034392-3771334282
                                                                                                              • Opcode ID: 56bd6ace22e6e2035f5031cc9978de37ae905e15686cac3f17074c750df7538a
                                                                                                              • Instruction ID: 65d184c56696bd8d6baefe4a5ac293f093c2dd543b1706e930bc299cdf77f89e
                                                                                                              • Opcode Fuzzy Hash: 56bd6ace22e6e2035f5031cc9978de37ae905e15686cac3f17074c750df7538a
                                                                                                              • Instruction Fuzzy Hash: B131A474B042149ADB11EBB988867EEB6A09F48304F90C47AF548EB392D67C9E41879D
                                                                                                              Function 00459AE8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00459BA3
                                                                                                              Strings
                                                                                                              • CreateAssemblyCache, xrefs: 00459B9A
                                                                                                              • Failed to load .NET Framework DLL "%s", xrefs: 00459B88
                                                                                                              • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00459BAE
                                                                                                              • .NET Framework CreateAssemblyCache function failed, xrefs: 00459BC6
                                                                                                              • Fusion.dll, xrefs: 00459B43
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc
                                                                                                              • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                                              • API String ID: 190572456-3990135632
                                                                                                              • Opcode ID: edece01ff0b44ec29f5677049ed357158d3b305d3ba0728d372a41e2f192b5a4
                                                                                                              • Instruction ID: 1db31b6b51e2e068c3f61674d824012408e1fbc1d182cf764eafebb5ab4ea00f
                                                                                                              • Opcode Fuzzy Hash: edece01ff0b44ec29f5677049ed357158d3b305d3ba0728d372a41e2f192b5a4
                                                                                                              • Instruction Fuzzy Hash: EF318970E00619EBDB01EFA5C88169EB7B8AF44315F50857BE814E7382D738AE09C799
                                                                                                              Function 0041C158 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041C058: GetObjectA.GDI32(?,00000018), ref: 0041C065
                                                                                                              • GetFocus.USER32 ref: 0041C178
                                                                                                              • 73EAA570.USER32(?), ref: 0041C184
                                                                                                              • 73EA8830.GDI32(?,?,00000000,00000000,0041C203,?,?), ref: 0041C1A5
                                                                                                              • 73EA22A0.GDI32(?,?,?,00000000,00000000,0041C203,?,?), ref: 0041C1B1
                                                                                                              • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1C8
                                                                                                              • 73EA8830.GDI32(?,00000000,00000000,0041C20A,?,?), ref: 0041C1F0
                                                                                                              • 73EAA480.USER32(?,?,0041C20A,?,?), ref: 0041C1FD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: A8830$A480A570BitsFocusObject
                                                                                                              • String ID:
                                                                                                              • API String ID: 2263944860-0
                                                                                                              • Opcode ID: 32c019c2b17a625013bd7d07803e420f9d7b692fe3dc5f877fb11705181084ab
                                                                                                              • Instruction ID: a51b9c7cee13939b32e911f1849152ebfa7eb0d73570b73294f05c7218cf190f
                                                                                                              • Opcode Fuzzy Hash: 32c019c2b17a625013bd7d07803e420f9d7b692fe3dc5f877fb11705181084ab
                                                                                                              • Instruction Fuzzy Hash: A0116A71E40609BBDB10DBE9CC85FAFBBFCEF48700F54446AB518E7281D67899008B28
                                                                                                              Function 00418C64 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemMetrics.USER32(0000000E), ref: 00418C80
                                                                                                              • GetSystemMetrics.USER32(0000000D), ref: 00418C88
                                                                                                              • 6F962980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C8E
                                                                                                                • Part of subcall function 004099C0: 6F95C400.COMCTL32(0049B628,000000FF,00000000,00418CBC,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004099C4
                                                                                                              • 6F9CCB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CDE
                                                                                                              • 6F9CC740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CE9
                                                                                                              • 6F9CCB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000), ref: 00418CFC
                                                                                                              • 6F960860.COMCTL32(0049B628,00418D1F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E), ref: 00418D12
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MetricsSystem$C400C740F960860F962980
                                                                                                              • String ID:
                                                                                                              • API String ID: 2981860891-0
                                                                                                              • Opcode ID: 33c04b7a68779a44c69ffbd8ad79940853ad3b201d45ee57610259a2e4dbeb77
                                                                                                              • Instruction ID: e0b43fe86d74620756cf035266125a11838772e9d6ef4bcae2e69295d5b8951d
                                                                                                              • Opcode Fuzzy Hash: 33c04b7a68779a44c69ffbd8ad79940853ad3b201d45ee57610259a2e4dbeb77
                                                                                                              • Instruction Fuzzy Hash: A11149B1744204BBEB10EBA9DC83F5E73B8DB48704F6044BAB604E72D2DB799D409759
                                                                                                              Function 004836EC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004837A4), ref: 00483789
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen
                                                                                                              • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                                              • API String ID: 47109696-2530820420
                                                                                                              • Opcode ID: ae1742725748cd88b87d9fe0d1248e5a5e1a514a3c9083b9a236ca5d7aa17843
                                                                                                              • Instruction ID: 8316402a246994b7737153b66ed252a9f16b12b2be78e08e0fa98e077eb8f510
                                                                                                              • Opcode Fuzzy Hash: ae1742725748cd88b87d9fe0d1248e5a5e1a514a3c9083b9a236ca5d7aa17843
                                                                                                              • Instruction Fuzzy Hash: 0311B1B4704244AADB10FF65CC52B5E7AE9DB41B19F60C87BA400A7282EB38CA05875C
                                                                                                              Function 00494ED8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • 73EAA570.USER32(00000000,?,?,00000000), ref: 00494EE9
                                                                                                                • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00494F0B
                                                                                                              • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495489), ref: 00494F1F
                                                                                                              • GetTextMetricsA.GDI32(00000000,?), ref: 00494F41
                                                                                                              • 73EAA480.USER32(00000000,00000000,00494F6B,00494F64,?,00000000,?,?,00000000), ref: 00494F5E
                                                                                                              Strings
                                                                                                              • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00494F16
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                                                                                              • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                                              • API String ID: 1435929781-222967699
                                                                                                              • Opcode ID: f7d6f97b91dc48adac3cf3527b9ba73e93ee7bba49e4f60ed72cccac08d23d6d
                                                                                                              • Instruction ID: 6f18d4fe6cef93123b0455e30b82395b7dbfc0c8f911bccc88a8e51c4d6277b1
                                                                                                              • Opcode Fuzzy Hash: f7d6f97b91dc48adac3cf3527b9ba73e93ee7bba49e4f60ed72cccac08d23d6d
                                                                                                              • Instruction Fuzzy Hash: 95018476A04609BFEB00DBA9CC41F5EB7ECDB89704F51447AB600E7281D678AE018B28
                                                                                                              Function 0041B472 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                                                              • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                                                              • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                                                              • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ObjectSelect$Delete$Stretch
                                                                                                              • String ID:
                                                                                                              • API String ID: 1458357782-0
                                                                                                              • Opcode ID: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                                                              • Instruction ID: 28529174ed8a1a36c66279ad8c479dcd7ed434ba0fbaa502c63cdd0cc078bbc5
                                                                                                              • Opcode Fuzzy Hash: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                                                              • Instruction Fuzzy Hash: A1114C72E40559ABDF10D6D9D885FAFB3BCEF08704F048456B614FB241C678A8418B54
                                                                                                              Function 004233A4 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCursorPos.USER32 ref: 004233BF
                                                                                                              • WindowFromPoint.USER32(?,?), ref: 004233CC
                                                                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233DA
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 004233E1
                                                                                                              • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233FA
                                                                                                              • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423411
                                                                                                              • SetCursor.USER32(00000000), ref: 00423423
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1770779139-0
                                                                                                              • Opcode ID: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
                                                                                                              • Instruction ID: 219e0d69ac6b6a38dcb61baa39fbc914f783b163521ae56cddb293ea60412e1c
                                                                                                              • Opcode Fuzzy Hash: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
                                                                                                              • Instruction Fuzzy Hash: E601D42230472036D6217B795C86E2F26A8CFC5B15F50457FB649BB283DA3D8C0063BD
                                                                                                              Function 004019CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0218A350,00001CAC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                              • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0218A350,00001CAC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                              • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0218A350,00001CAC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                              • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0218A350,00001CAC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                              • String ID: 4:k$`$k
                                                                                                              • API String ID: 730355536-3326908055
                                                                                                              • Opcode ID: 0971dfa849a4ffc4cae04a3e1ff9e59bd0eaa306d87ad714f1f0155365df5b79
                                                                                                              • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                                                              • Opcode Fuzzy Hash: 0971dfa849a4ffc4cae04a3e1ff9e59bd0eaa306d87ad714f1f0155365df5b79
                                                                                                              • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                                                              Function 00494CFC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 00494D0C
                                                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00494D19
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00494D26
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleModule
                                                                                                              • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                                              • API String ID: 667068680-2254406584
                                                                                                              • Opcode ID: 70207861a9ddbbfcf1ec4c2ebf1ed82301f215222d5c3051e71e037128298d5d
                                                                                                              • Instruction ID: 42226921e916c2e61715a17367c32eae2b2292ab525ca03b869d6a68ec0a34c4
                                                                                                              • Opcode Fuzzy Hash: 70207861a9ddbbfcf1ec4c2ebf1ed82301f215222d5c3051e71e037128298d5d
                                                                                                              • Instruction Fuzzy Hash: 6CF0F69AB41B1466DA2025B68C81F7B698CCFD1B71F050337BE04A7382ED9D8D0642AD
                                                                                                              Function 0045D9EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D9F5
                                                                                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045DA05
                                                                                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045DA15
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc
                                                                                                              • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                                              • API String ID: 190572456-212574377
                                                                                                              • Opcode ID: 01040e06415ef817a4763b016626a28be3372e477bb5bd5db3809bf0997a53ea
                                                                                                              • Instruction ID: e47ea2fb967bc5a05fa6d8d3c64fcba096cc564050e4d812c51f788cc71ed1ca
                                                                                                              • Opcode Fuzzy Hash: 01040e06415ef817a4763b016626a28be3372e477bb5bd5db3809bf0997a53ea
                                                                                                              • Instruction Fuzzy Hash: 2BF030B0D05300DFEB24DFB29CC372336959BA4316F14803B9A0D96267D278088CCE2C
                                                                                                              Function 0042EA2C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,00480D8E), ref: 0042EA45
                                                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA4B
                                                                                                              • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA5C
                                                                                                                • Part of subcall function 0042E9BC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA80,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9D2
                                                                                                                • Part of subcall function 0042E9BC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9D8
                                                                                                                • Part of subcall function 0042E9BC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9E9
                                                                                                              • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA70
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                                              • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                                              • API String ID: 142928637-2676053874
                                                                                                              • Opcode ID: d06cc84e9d2e4e0b448c748badd712702b96776d6b0267aa2fd44745f5a2b4d6
                                                                                                              • Instruction ID: 2c8c4e1fda890c3dedf4e0e73620de090a3a9d5666271f16a874a7bcdd66483b
                                                                                                              • Opcode Fuzzy Hash: d06cc84e9d2e4e0b448c748badd712702b96776d6b0267aa2fd44745f5a2b4d6
                                                                                                              • Instruction Fuzzy Hash: 52E092A1741720EAEA10B7B67CC6F9A2668E714729F54403BF100A51E1C3BD1C80CE9E
                                                                                                              Function 0044C7EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F099), ref: 0044C7FB
                                                                                                              • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C80C
                                                                                                              • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C81C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$LibraryLoad
                                                                                                              • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                                              • API String ID: 2238633743-1050967733
                                                                                                              • Opcode ID: c58342e6ebd42d3e550f5fa79659fa064c9032f03f8e913941057cc824ddc2bd
                                                                                                              • Instruction ID: d5a6e329c062b47ae4ba9e11e7719f1ec1b45dd3e70fac445fdcae0b1af11dcb
                                                                                                              • Opcode Fuzzy Hash: c58342e6ebd42d3e550f5fa79659fa064c9032f03f8e913941057cc824ddc2bd
                                                                                                              • Instruction Fuzzy Hash: 64F0FE70246305CAFB50BBB5FDC67223694E3A4B0AF18137BE40156192D7BC4444CF4C
                                                                                                              Function 00478B3C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,004985F4), ref: 00478B42
                                                                                                              • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478B4F
                                                                                                              • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478B5F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleModule
                                                                                                              • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                                              • API String ID: 667068680-222143506
                                                                                                              • Opcode ID: dff5fcaa570554af533fa68d6d4d47fa30ed3b2efb34bda6c6df081b9be12d17
                                                                                                              • Instruction ID: 8ade474bf949b7c868f23be577f60042bf37b8b7e1302e6d2b868e4e2d48ad49
                                                                                                              • Opcode Fuzzy Hash: dff5fcaa570554af533fa68d6d4d47fa30ed3b2efb34bda6c6df081b9be12d17
                                                                                                              • Instruction Fuzzy Hash: D4C0E9F0AC1740EEAA00E7F15CDAD762558D514B34724943F754DAA193D97D58044A2C
                                                                                                              Function 0041B518 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFocus.USER32 ref: 0041B58E
                                                                                                              • 73EAA570.USER32(?,00000000,0041B668,?,?,?,?), ref: 0041B59A
                                                                                                              • 73EB4620.GDI32(?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5B6
                                                                                                              • 73EDE680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5D3
                                                                                                              • 73EDE680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668), ref: 0041B5EA
                                                                                                              • 73EAA480.USER32(?,?,0041B643,?,?), ref: 0041B636
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: E680$A480A570B4620Focus
                                                                                                              • String ID:
                                                                                                              • API String ID: 1492359852-0
                                                                                                              • Opcode ID: 5d7c3ba993e5eebd83af6d17b2c287e498e3d287d4e0c623dc28ca4d995b2802
                                                                                                              • Instruction ID: 7d41d09f6123fe0998bcf531a8d6f09bc5b1e179d78523dd82c4b1b978091a2c
                                                                                                              • Opcode Fuzzy Hash: 5d7c3ba993e5eebd83af6d17b2c287e498e3d287d4e0c623dc28ca4d995b2802
                                                                                                              • Instruction Fuzzy Hash: 7E41D571A04254AFDB10DFA9C886EAFBBB4EB55704F1484AAF500EB351D3389D11CBA5
                                                                                                              Function 0045D3B0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetLastError.KERNEL32(00000057,00000000,0045D47C,?,?,?,?,00000000), ref: 0045D41B
                                                                                                              • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D4E8,?,00000000,0045D47C,?,?,?,?,00000000), ref: 0045D45A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                                              • API String ID: 1452528299-1580325520
                                                                                                              • Opcode ID: 4cfdc77ab01fb36c91946a35bece077a72b39e520f3a0bad4193af408e0f5770
                                                                                                              • Instruction ID: bfdb5615fdc952ab51c5d4d36cfcdc52ba3649a349ed7733e19bd606ff263fd4
                                                                                                              • Opcode Fuzzy Hash: 4cfdc77ab01fb36c91946a35bece077a72b39e520f3a0bad4193af408e0f5770
                                                                                                              • Instruction Fuzzy Hash: A6117835A04204ABD731DE95C941A5E76DCDF46306F608077AD0596283D67C6F0A952A
                                                                                                              Function 0041BD9C Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemMetrics.USER32(0000000B), ref: 0041BDE5
                                                                                                              • GetSystemMetrics.USER32(0000000C), ref: 0041BDEF
                                                                                                              • 73EAA570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDF9
                                                                                                              • 73EB4620.GDI32(00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE20
                                                                                                              • 73EB4620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE2D
                                                                                                              • 73EAA480.USER32(00000000,00000000,0041BE73,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE66
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: B4620MetricsSystem$A480A570
                                                                                                              • String ID:
                                                                                                              • API String ID: 1175345567-0
                                                                                                              • Opcode ID: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
                                                                                                              • Instruction ID: cee0947e7f2791638d7e7c91bd9cc57ffb528c4a132e606019bcc307a049f0f1
                                                                                                              • Opcode Fuzzy Hash: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
                                                                                                              • Instruction Fuzzy Hash: 40212C74E046499FEB00EFA9C982BEEB7B4EB48714F10842AF514B7781D7785940CBA9
                                                                                                              Function 0047E264 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0047E272
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CFF1), ref: 0047E298
                                                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0047E2A8
                                                                                                              • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E2C9
                                                                                                              • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E2DD
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E2F9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Long$Show
                                                                                                              • String ID:
                                                                                                              • API String ID: 3609083571-0
                                                                                                              • Opcode ID: f65d960a6ef7549d8abdb9e067b5e5f1b226f2d151c0a96430342ef03e516e78
                                                                                                              • Instruction ID: 64a3e6c2176d4acc74ea6130292171d5cd043058eec335b926c35577e1896bc6
                                                                                                              • Opcode Fuzzy Hash: f65d960a6ef7549d8abdb9e067b5e5f1b226f2d151c0a96430342ef03e516e78
                                                                                                              • Instruction Fuzzy Hash: DE010CB5651210ABE600D769DE41F66379CAB0D334F0503AAB959DF2E3C729EC009B49
                                                                                                              Function 0041B280 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041A6F0: CreateBrushIndirect.GDI32 ref: 0041A75B
                                                                                                              • UnrealizeObject.GDI32(00000000), ref: 0041B28C
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B29E
                                                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041B2C1
                                                                                                              • SetBkMode.GDI32(?,00000002), ref: 0041B2CC
                                                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041B2E7
                                                                                                              • SetBkMode.GDI32(?,00000001), ref: 0041B2F2
                                                                                                                • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                                              • String ID:
                                                                                                              • API String ID: 3527656728-0
                                                                                                              • Opcode ID: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                                                              • Instruction ID: 5f3c9a08814bcb0dec11b684bd4148c9aa8da507e688bf70d4fc6563dceee2e6
                                                                                                              • Opcode Fuzzy Hash: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                                                              • Instruction Fuzzy Hash: 7EF0C2B1651501ABCE00FFBAD9CAE4B37A89F043097088057B544DF197C97CD8548B3D
                                                                                                              Function 0049772C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                                              • ShowWindow.USER32(?,00000005,00000000,00497991,?,?,00000000), ref: 00497762
                                                                                                                • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                                                • Part of subcall function 004072B0: SetCurrentDirectoryA.KERNEL32(00000000,?,0049778A,00000000,0049795D,?,?,00000005,00000000,00497991,?,?,00000000), ref: 004072BB
                                                                                                                • Part of subcall function 0042D45C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4EA,?,?,?,00000001,?,0045606A,00000000,004560D2), ref: 0042D491
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                                              • String ID: .dat$.msg$IMsg$Uninstall
                                                                                                              • API String ID: 3312786188-1660910688
                                                                                                              • Opcode ID: 8060b02bfbd0833a98a3e6243afb85b8b494b7fa2efbfb07078fe99f385005b5
                                                                                                              • Instruction ID: bbf2e7f3574d42a9113524bdb42c94a944b0e97273f2a70b882bd080beededf8
                                                                                                              • Opcode Fuzzy Hash: 8060b02bfbd0833a98a3e6243afb85b8b494b7fa2efbfb07078fe99f385005b5
                                                                                                              • Instruction Fuzzy Hash: 8E318F74A10214AFDB00EF65DC82D6E7BB5EB89318B51847AF800AB392D739BD01CB58
                                                                                                              Function 0042EAB8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EAEA
                                                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAF0
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB19
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                                              • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                                              • API String ID: 828529508-2866557904
                                                                                                              • Opcode ID: 915f5369749bf1dd2f4e97bc9020bef18acdf07caf1deb2404a0262322aa2bf8
                                                                                                              • Instruction ID: f5c55ae169209784706469d1b6e96428d25835975ad7b3a5622eb1d8c2489c6d
                                                                                                              • Opcode Fuzzy Hash: 915f5369749bf1dd2f4e97bc9020bef18acdf07caf1deb2404a0262322aa2bf8
                                                                                                              • Instruction Fuzzy Hash: 2DF022E078062136E620E2BFACC3F6B498C8FA0725F040436F009EA2C2E92C9900422E
                                                                                                              Function 00457E34 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00457E64
                                                                                                              • GetExitCodeProcess.KERNEL32(?,00498116), ref: 00457E85
                                                                                                              • CloseHandle.KERNEL32(?,00457EB8,?,?,004586D3,00000000,00000000), ref: 00457EAB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                                              • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                                              • API String ID: 2573145106-3235461205
                                                                                                              • Opcode ID: 575e6b60f34cbf4eff7e6cad29998e42f3eca010a17ab32e5b4d53f7e3c6a35f
                                                                                                              • Instruction ID: 6a931132ee958b8202ab537f65b64b7fb4871f4dbf11571726e28c2ddef09419
                                                                                                              • Opcode Fuzzy Hash: 575e6b60f34cbf4eff7e6cad29998e42f3eca010a17ab32e5b4d53f7e3c6a35f
                                                                                                              • Instruction Fuzzy Hash: 1101A735604704AFDB11EB999D43A1E77A8DB49711F5004B6FC10E73D3D63C9D048618
                                                                                                              Function 0042E9BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA80,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9D2
                                                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9D8
                                                                                                              • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9E9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                                              • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                                              • API String ID: 3478007392-2498399450
                                                                                                              • Opcode ID: 9d5cf1aadbd407eeb031432e352e4554899be5068d45876e9cc0d059751b9763
                                                                                                              • Instruction ID: 5ef4959e42d5312267b3952f4de6be483a2b5690063b138e9708ef51bd19b1c3
                                                                                                              • Opcode Fuzzy Hash: 9d5cf1aadbd407eeb031432e352e4554899be5068d45876e9cc0d059751b9763
                                                                                                              • Instruction Fuzzy Hash: A3E0ECB1741314EADA106B62BECBF5A2558E724B15F54043BF101751F2C7BD2C80C95E
                                                                                                              Function 00477AB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 00477AB8
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477BAF,0049C0A4,00000000), ref: 00477ACB
                                                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477AD1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                                              • String ID: AllowSetForegroundWindow$user32.dll
                                                                                                              • API String ID: 1782028327-3855017861
                                                                                                              • Opcode ID: 68b371c1f4cd94bc20bebdce253c565989975d555a3c9a3b5155311c67ca03d8
                                                                                                              • Instruction ID: 8233eca9c26ae86130ab8a2651ceb45e7b9436c82c984da63702dcb6f06a18e2
                                                                                                              • Opcode Fuzzy Hash: 68b371c1f4cd94bc20bebdce253c565989975d555a3c9a3b5155311c67ca03d8
                                                                                                              • Instruction Fuzzy Hash: 27D0A7A0208300A6ED10F3F14C47E6F224C8D847587A4C43B7404E3182CABCE900993C
                                                                                                              Function 00416C3C Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • BeginPaint.USER32(00000000,?), ref: 00416C62
                                                                                                              • SaveDC.GDI32(?), ref: 00416C93
                                                                                                              • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D55), ref: 00416CF4
                                                                                                              • RestoreDC.GDI32(?,?), ref: 00416D1B
                                                                                                              • EndPaint.USER32(00000000,?,00416D5C,00000000,00416D55), ref: 00416D4F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                                              • String ID:
                                                                                                              • API String ID: 3808407030-0
                                                                                                              • Opcode ID: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
                                                                                                              • Instruction ID: c70ebf24aed337d2f43398dc79d2f74fb7d9fd2825851e0a0ce007a429ecfdc3
                                                                                                              • Opcode Fuzzy Hash: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
                                                                                                              • Instruction Fuzzy Hash: D7413C70A04204AFDB04DB99D985FAE77F9EB48304F1640AEE4059B362D778ED85CB58
                                                                                                              Function 00414810 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                                                              • Instruction ID: fc599d946787c0506e623d191f8eefd10b4a308858d20a9272ac2d3790a9447e
                                                                                                              • Opcode Fuzzy Hash: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                                                              • Instruction Fuzzy Hash: A1314F746047449FC320EF69C984BABB7E8AF89314F04891EF9D9C3752C638EC858B19
                                                                                                              Function 004297DC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429818
                                                                                                              • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429847
                                                                                                              • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429863
                                                                                                              • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042988E
                                                                                                              • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 004298AC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend
                                                                                                              • String ID:
                                                                                                              • API String ID: 3850602802-0
                                                                                                              • Opcode ID: 52b5b48316c5d4ae37ce8577e0a97d76e0e4998a9a2ed84e03e9d155575d1481
                                                                                                              • Instruction ID: c447c4a9eb68fcc7219df142ffdb21218ba7f26748626b58278b549ffff81a32
                                                                                                              • Opcode Fuzzy Hash: 52b5b48316c5d4ae37ce8577e0a97d76e0e4998a9a2ed84e03e9d155575d1481
                                                                                                              • Instruction Fuzzy Hash: 3321AF707507057AE710BB66CC82F5B76ACEB42708F94043EB541AB2D2DF78ED41825C
                                                                                                              Function 0041BBC8 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemMetrics.USER32(0000000B), ref: 0041BBDA
                                                                                                              • GetSystemMetrics.USER32(0000000C), ref: 0041BBE4
                                                                                                              • 73EAA570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC22
                                                                                                              • 73EB6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD8D,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC69
                                                                                                              • DeleteObject.GDI32(00000000), ref: 0041BCAA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MetricsSystem$A570B6310DeleteObject
                                                                                                              • String ID:
                                                                                                              • API String ID: 2673512122-0
                                                                                                              • Opcode ID: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
                                                                                                              • Instruction ID: d912de8c3c57523408de13a46bdb54385142bc6a2202aaac6113f7462e2bca5d
                                                                                                              • Opcode Fuzzy Hash: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
                                                                                                              • Instruction Fuzzy Hash: CE314F74E00209EFDB04DFA5C941AAEB7F5EB48700F11856AF514AB381D7789E40DB98
                                                                                                              Function 00473848 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0045D3B0: SetLastError.KERNEL32(00000057,00000000,0045D47C,?,?,?,?,00000000), ref: 0045D41B
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,0047391C,?,?,0049C1D0,00000000), ref: 004738D5
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,0047391C,?,?,0049C1D0,00000000), ref: 004738EB
                                                                                                              Strings
                                                                                                              • Could not set permissions on the registry key because it currently does not exist., xrefs: 004738DF
                                                                                                              • Setting permissions on registry key: %s\%s, xrefs: 0047389A
                                                                                                              • Failed to set permissions on registry key (%d)., xrefs: 004738FC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                                              • API String ID: 1452528299-4018462623
                                                                                                              • Opcode ID: 65c899866a6f92bdc558b75d1f6f5c8f40dffa86cd9e0ff42c768141b597e19f
                                                                                                              • Instruction ID: 0e56c8fb080e82cb73bff42131c1910bc7e2d1be1188aa0d4929b19add272574
                                                                                                              • Opcode Fuzzy Hash: 65c899866a6f92bdc558b75d1f6f5c8f40dffa86cd9e0ff42c768141b597e19f
                                                                                                              • Instruction Fuzzy Hash: D42186B0A046485FCB00DFA9C8816EEBBE5DF49315F50817BE508E7392D7B85A05CB6A
                                                                                                              Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                              • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                                              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$AllocString
                                                                                                              • String ID:
                                                                                                              • API String ID: 262959230-0
                                                                                                              • Opcode ID: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
                                                                                                              • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                                              • Opcode Fuzzy Hash: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
                                                                                                              • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                                              Function 004143F0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • 73EA8830.GDI32(00000000,00000000,00000000), ref: 00414429
                                                                                                              • 73EA22A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414431
                                                                                                              • 73EA8830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414445
                                                                                                              • 73EA22A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041444B
                                                                                                              • 73EAA480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414456
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: A8830$A480
                                                                                                              • String ID:
                                                                                                              • API String ID: 3373261071-0
                                                                                                              • Opcode ID: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
                                                                                                              • Instruction ID: 307ee49d89b37f6f535ee678b6e17b633f9af621dfcf88cb872c79a1e2d754b8
                                                                                                              • Opcode Fuzzy Hash: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
                                                                                                              • Instruction Fuzzy Hash: A901D47121C3406AD200B63D8C45B9F6BEC8FC6314F05546EF494D7382C97ACC018765
                                                                                                              Function 00406FAC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 0040700B
                                                                                                              • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00407085
                                                                                                              • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070DD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Enum$NameOpenResourceUniversal
                                                                                                              • String ID: Z
                                                                                                              • API String ID: 3604996873-1505515367
                                                                                                              • Opcode ID: eb416ea4a1b8f2daa77fdd812f136362b1db0fd9b9a9c64830d5574e342882dc
                                                                                                              • Instruction ID: 2ace50d644c075eff23e32fa5e1ddfe03b8fa53596be5d4ceb5675c655e146ae
                                                                                                              • Opcode Fuzzy Hash: eb416ea4a1b8f2daa77fdd812f136362b1db0fd9b9a9c64830d5574e342882dc
                                                                                                              • Instruction Fuzzy Hash: C0513070E04218ABDB15DF55CD41A9EBBB9FB49304F1041BAE910BB3D1C778AE418F5A
                                                                                                              Function 0044CFD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetRectEmpty.USER32(?), ref: 0044D05E
                                                                                                              • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D089
                                                                                                              • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D111
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DrawText$EmptyRect
                                                                                                              • String ID:
                                                                                                              • API String ID: 182455014-2867612384
                                                                                                              • Opcode ID: 9bd908fd6ab002ebc51c141ad104fc93549b6590cb61d9638f2d60c2e4f6398c
                                                                                                              • Instruction ID: 2c2bbb7fbf4b59eae95d31c7b28000ca71a9f0321ec4255fb332cd8a4a3f7a8e
                                                                                                              • Opcode Fuzzy Hash: 9bd908fd6ab002ebc51c141ad104fc93549b6590cb61d9638f2d60c2e4f6398c
                                                                                                              • Instruction Fuzzy Hash: F6516071E00244AFDB10DFA5C885BDEBBF8AF49308F08847AE845EB255D778A945CB64
                                                                                                              Function 0042EF84 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • 73EAA570.USER32(00000000,00000000,0042F0D8,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042EFAE
                                                                                                                • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0042EFD1
                                                                                                              • 73EAA480.USER32(00000000,?,0042F0BD,00000000,0042F0B6,?,00000000,00000000,0042F0D8,?,?,?,?,00000000,00000000,00000000), ref: 0042F0B0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: A480A570CreateFontIndirectObjectSelect
                                                                                                              • String ID: ...\
                                                                                                              • API String ID: 2998766281-983595016
                                                                                                              • Opcode ID: da53642769cbe036028c7dc5c32fe254f1027efce08608ae13d670d4fc685408
                                                                                                              • Instruction ID: 4ea51e63949933808241df29427b07dd96e06abf1a704ffa26f869fa6ec4a11f
                                                                                                              • Opcode Fuzzy Hash: da53642769cbe036028c7dc5c32fe254f1027efce08608ae13d670d4fc685408
                                                                                                              • Instruction Fuzzy Hash: 2F315270B00128ABDF11EF96D841BAEB7B8EB48708FD1447BF410A7292D7785D49CA59
                                                                                                              Function 004538A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 00453997
                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 004539A7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateFileHandle
                                                                                                              • String ID: .tmp$_iu
                                                                                                              • API String ID: 3498533004-10593223
                                                                                                              • Opcode ID: dc109c8f01286b2989461901934a6d9e01325b966eab87418c3e389b569fc91a
                                                                                                              • Instruction ID: 4fa05f029f2566c48aedd37e5d2d112a05e3774389c58111587f2dbaaee79b9c
                                                                                                              • Opcode Fuzzy Hash: dc109c8f01286b2989461901934a6d9e01325b966eab87418c3e389b569fc91a
                                                                                                              • Instruction Fuzzy Hash: 9531A6B0A40149ABCF01EF95C982B9EBBB5AF44345F50452AF800B72C2D6785F058AAD
                                                                                                              Function 00416420 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                                                              • UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                                                              • RegisterClassA.USER32(?), ref: 004164DE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Class$InfoRegisterUnregister
                                                                                                              • String ID: @
                                                                                                              • API String ID: 3749476976-2766056989
                                                                                                              • Opcode ID: 8cb808bfaf21f9b6be1f4599df9655a946cb93d0bbb2725194c7e4a3bd3b9422
                                                                                                              • Instruction ID: 7ea39428e622c43f80c69b44bdb33f9ce6dea52ad5211df5dc1c1138561595a4
                                                                                                              • Opcode Fuzzy Hash: 8cb808bfaf21f9b6be1f4599df9655a946cb93d0bbb2725194c7e4a3bd3b9422
                                                                                                              • Instruction Fuzzy Hash: 0E318E706042009BD760EF68C981B9B77E5AB88308F04457FF985DB392DB39D9848B6A
                                                                                                              Function 00497BE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesA.KERNEL32(00000000,00498530,00000000,00497CD6,?,?,00000000,0049B628), ref: 00497C50
                                                                                                              • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498530,00000000,00497CD6,?,?,00000000,0049B628), ref: 00497C79
                                                                                                              • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00497C92
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$Attributes$Move
                                                                                                              • String ID: isRS-%.3u.tmp
                                                                                                              • API String ID: 3839737484-3657609586
                                                                                                              • Opcode ID: 9f18e9119b438212db1bb595c56ccc89a7930ded87602de0aca2db56358788ed
                                                                                                              • Instruction ID: 213244b736f3eff521ec2db090c728ece63042f248bf50699bdf4cb02408e53f
                                                                                                              • Opcode Fuzzy Hash: 9f18e9119b438212db1bb595c56ccc89a7930ded87602de0aca2db56358788ed
                                                                                                              • Instruction Fuzzy Hash: 53214171E14219AFCF05EFA9C881AAFBBB8AB44714F50453BB814B72D1D6385E018B69
                                                                                                              Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                                              • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExitMessageProcess
                                                                                                              • String ID: Error$Runtime error at 00000000
                                                                                                              • API String ID: 1220098344-2970929446
                                                                                                              • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                                              • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                                                              • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                                              • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                                                              Function 00456A34 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838
                                                                                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                              • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456A88
                                                                                                              • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456AB5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                                              • String ID: LoadTypeLib$RegisterTypeLib
                                                                                                              • API String ID: 1312246647-2435364021
                                                                                                              • Opcode ID: 384f0062f956a7e6e5f729262f076ec348bfef461e3db0757be0fdeeca084a77
                                                                                                              • Instruction ID: 5567ca09ff2ddd9e87874ef4cfa4ab968baaa8f1c3db1669d027a8a21fc87fa6
                                                                                                              • Opcode Fuzzy Hash: 384f0062f956a7e6e5f729262f076ec348bfef461e3db0757be0fdeeca084a77
                                                                                                              • Instruction Fuzzy Hash: 20119331B00604AFDB11EFA6CD55A5EB7BDEB8A705B51C4B6BC04E3652DA389E04CB24
                                                                                                              Function 00456F8C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00456FA6
                                                                                                              • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00457043
                                                                                                              Strings
                                                                                                              • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00456FD2
                                                                                                              • Failed to create DebugClientWnd, xrefs: 0045700C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend
                                                                                                              • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                                              • API String ID: 3850602802-3720027226
                                                                                                              • Opcode ID: e461573c832d53d536b60bdd09be1689879239ada0565844d92a82a55e03096e
                                                                                                              • Instruction ID: 61f5065308a022425a12d25e559eb7300ab1b4b0d104b50eccf394a1c4e119f6
                                                                                                              • Opcode Fuzzy Hash: e461573c832d53d536b60bdd09be1689879239ada0565844d92a82a55e03096e
                                                                                                              • Instruction Fuzzy Hash: 921123706082509BD300AB689C82B5F7BD89B55719F45403BF9859B3C3D7798C08C7AE
                                                                                                              Function 00495D70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495E38,?,00495E2C,00000000,00495E13), ref: 00495DDE
                                                                                                              • CloseHandle.KERNEL32(x^I,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495E38,?,00495E2C,00000000), ref: 00495DF5
                                                                                                                • Part of subcall function 00495CC8: GetLastError.KERNEL32(00000000,00495D60,?,?,?,?), ref: 00495CEC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateErrorHandleLastProcess
                                                                                                              • String ID: D$x^I
                                                                                                              • API String ID: 3798668922-903578107
                                                                                                              • Opcode ID: 39c0d8672a1bce61a407111d09c5e91ba0fa0ceca0774959188b9b62fea67dd3
                                                                                                              • Instruction ID: 0d7d1bccb2b79611993d32b5dcf50d38d0c3e5c5098d5d0063742a7482510134
                                                                                                              • Opcode Fuzzy Hash: 39c0d8672a1bce61a407111d09c5e91ba0fa0ceca0774959188b9b62fea67dd3
                                                                                                              • Instruction Fuzzy Hash: F201A1B1604648AFDF01EBA2DC42E9FBBACDF08704F60003AF904E72C1D6385E008A28
                                                                                                              Function 00478608 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                                              • GetFocus.USER32 ref: 00478673
                                                                                                              • GetKeyState.USER32(0000007A), ref: 00478685
                                                                                                              • WaitMessage.USER32(?,00000000,004786AC,?,00000000,004786D3,?,?,00000001,00000000,?,?,?,0047FED4,00000000,00480D8E), ref: 0047868F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FocusMessageStateTextWaitWindow
                                                                                                              • String ID: Wnd=$%x
                                                                                                              • API String ID: 1381870634-2927251529
                                                                                                              • Opcode ID: 1a422d4577b49dccfc2774414577709a46ec3ce372f56b5ec11200a8bbcf7a92
                                                                                                              • Instruction ID: ef44951ba698f020dd2967180cd2d6f5e0b89f016f08406409eb47c9a327eab3
                                                                                                              • Opcode Fuzzy Hash: 1a422d4577b49dccfc2774414577709a46ec3ce372f56b5ec11200a8bbcf7a92
                                                                                                              • Instruction Fuzzy Hash: 2411A374644244BFC700EF65DD45A9E7BF8EB49714B5184BAF408E3691DB38AE00CA6E
                                                                                                              Function 0046E8B8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E8C0
                                                                                                              • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E8CF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Time$File$LocalSystem
                                                                                                              • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                                              • API String ID: 1748579591-1013271723
                                                                                                              • Opcode ID: 2e2682d59cfc45f7ed460395edcc4d500eda373c92ad7cb826f7e8648d0918d2
                                                                                                              • Instruction ID: 5dd70de3b3cbc2db986134396dd9c806d54cb2705fd1511918c86a199fc004ed
                                                                                                              • Opcode Fuzzy Hash: 2e2682d59cfc45f7ed460395edcc4d500eda373c92ad7cb826f7e8648d0918d2
                                                                                                              • Instruction Fuzzy Hash: 1711F8A440C3919AD340DF2AC44432BBBE4AF89704F44892EF9D8D6381E779C948DB77
                                                                                                              Function 00453F62 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F6F
                                                                                                                • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049B628,004980C1,00000000,00498116,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 00453F94
                                                                                                                • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$AttributesDeleteErrorLastMove
                                                                                                              • String ID: DeleteFile$MoveFile
                                                                                                              • API String ID: 3024442154-139070271
                                                                                                              • Opcode ID: 987ea279d6d59187c3e0b7c28975cb0d289204635ad797c92353d6d323b91857
                                                                                                              • Instruction ID: b42c41819cc20c1867e4fcb1ab4fb5766129ddbc0fc5112b2d6697d8e42203d6
                                                                                                              • Opcode Fuzzy Hash: 987ea279d6d59187c3e0b7c28975cb0d289204635ad797c92353d6d323b91857
                                                                                                              • Instruction Fuzzy Hash: 49F062716041455AEB01FAA5D84266EA3ECDB8430BFA0403BB800BB6C3DA3C9E09493D
                                                                                                              Function 00483644 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483685
                                                                                                              • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004836A8
                                                                                                              Strings
                                                                                                              • CSDVersion, xrefs: 0048367C
                                                                                                              • System\CurrentControlSet\Control\Windows, xrefs: 00483652
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpenQueryValue
                                                                                                              • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                                              • API String ID: 3677997916-1910633163
                                                                                                              • Opcode ID: 753ec1cdaceecf10a2c10abed9fa14ba9196f183527e9def43a7b07e5ea74203
                                                                                                              • Instruction ID: 3c550b8be62ae6962ae8a8b2bb2136c6a1766c1456238aff6c9f059f5d92f743
                                                                                                              • Opcode Fuzzy Hash: 753ec1cdaceecf10a2c10abed9fa14ba9196f183527e9def43a7b07e5ea74203
                                                                                                              • Instruction Fuzzy Hash: B1F06D75E00208B6DF20EED88C45BAFB3BCAF14B05F204566E910E7381F6789B448B59
                                                                                                              Function 004596C8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459805,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459715
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen
                                                                                                              • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                                              • API String ID: 47109696-2631785700
                                                                                                              • Opcode ID: 2bb6d2a90fde3dca571cbffa0de55d15307f7e9fe95e0bdc468a8876b40318f9
                                                                                                              • Instruction ID: 5fc53f2980ca067f7fdefaa7aa50a153e5e830959166a8c5adde0da5508e813c
                                                                                                              • Opcode Fuzzy Hash: 2bb6d2a90fde3dca571cbffa0de55d15307f7e9fe95e0bdc468a8876b40318f9
                                                                                                              • Instruction Fuzzy Hash: 97F0AF35720150DBCB10EF5AE885B4E6298DB99396F50403BB985CB263C77CCC06CA99
                                                                                                              Function 0042D900 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B46,00000000,00453BE9,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FD9,00000000), ref: 0042D91A
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D920
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                                              • API String ID: 1646373207-4063490227
                                                                                                              • Opcode ID: 9f11ee2d5e3000e0cdd038ccf0fc88bc65f7f941c6d0e4eb05ced4219cc1a029
                                                                                                              • Instruction ID: 1097081faf8e12b72459453f22f39748745641366cc83a46a0cb0e3cd7246884
                                                                                                              • Opcode Fuzzy Hash: 9f11ee2d5e3000e0cdd038ccf0fc88bc65f7f941c6d0e4eb05ced4219cc1a029
                                                                                                              • Instruction Fuzzy Hash: 5FE04FE1B40B1112D71066BA5C82B6B158E4B84724F90443B3994E62C3DDBCD9885A5D
                                                                                                              Function 0042EB64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAE0), ref: 0042EB72
                                                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB78
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                                              • API String ID: 1646373207-260599015
                                                                                                              • Opcode ID: ea69c1903bbb3952bc51afe47cebbdaeff40ebefb6d83304b24a691856bce627
                                                                                                              • Instruction ID: 186c8a8b24504359f9bd95d8817b94a00a7cf61d77d8ea7090d5fad6c77db3b3
                                                                                                              • Opcode Fuzzy Hash: ea69c1903bbb3952bc51afe47cebbdaeff40ebefb6d83304b24a691856bce627
                                                                                                              • Instruction Fuzzy Hash: 1CD0C792312732666D10F1F73CD1DBB098C89116753544477F505E5241D55DDD01196D
                                                                                                              Function 0044F754 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004985C2), ref: 0044F78F
                                                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F795
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: NotifyWinEvent$user32.dll
                                                                                                              • API String ID: 1646373207-597752486
                                                                                                              • Opcode ID: ae93fc19694d9525260dce27dd3aecea032003b0c05c01207aef2e00a83e3bcb
                                                                                                              • Instruction ID: adaf68bc035e952e092e397114f6a1653fed54d9058db7208dfb757fc5d15743
                                                                                                              • Opcode Fuzzy Hash: ae93fc19694d9525260dce27dd3aecea032003b0c05c01207aef2e00a83e3bcb
                                                                                                              • Instruction Fuzzy Hash: F7E012F4E417049DEF00BBF5BA86B1E3A90E764718B01417FF404A62A2DB7C440C8E5D
                                                                                                              Function 00498338 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498618,00000001,00000000,0049863C), ref: 00498342
                                                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498348
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                                              • API String ID: 1646373207-834958232
                                                                                                              • Opcode ID: a3044ebe087eacdbfcba4854d25501df4a36c2cbac561551b3a8e0a3d6241fb5
                                                                                                              • Instruction ID: 7eda4cb16e2cba450c320cc229382d7be1fc12bfd2fbc27455de3eb8489cf644
                                                                                                              • Opcode Fuzzy Hash: a3044ebe087eacdbfcba4854d25501df4a36c2cbac561551b3a8e0a3d6241fb5
                                                                                                              • Instruction Fuzzy Hash: 88B092C128174298AC7032FA0C02A1F08084882F28718083F3C48F50C2CD6ED804182D
                                                                                                              Function 00464960 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0044B668: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F785,004985C2), ref: 0044B68F
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B6A7
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6B9
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6CB
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6DD
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6EF
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B701
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B713
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B725
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B737
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B749
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B75B
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B76D
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B77F
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B791
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B7A3
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7B5
                                                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7C7
                                                                                                              • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004985EA), ref: 0046496F
                                                                                                              • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464975
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$LibraryLoad
                                                                                                              • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                              • API String ID: 2238633743-2683653824
                                                                                                              • Opcode ID: b0b0cc609965775dafbc177cfbf53c5f286fe0b9a785a06f0526f65a81a5d1e8
                                                                                                              • Instruction ID: ef62b78e1ecbbf86accf82cc5e54c74759ffbda80f6f2c7107c350d82a6c33f4
                                                                                                              • Opcode Fuzzy Hash: b0b0cc609965775dafbc177cfbf53c5f286fe0b9a785a06f0526f65a81a5d1e8
                                                                                                              • Instruction Fuzzy Hash: 48B092E06E2700A88E00B7FA2887B0B104895D0B1DB56063F704979092EB7C4008CD6E
                                                                                                              Function 0047D334 Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D4A8,?,?,?,?,00000000,0047D5FD,?,?,?,00000000,?,0047D70E), ref: 0047D484
                                                                                                              • FindClose.KERNEL32(000000FF,0047D4AF,0047D4A8,?,?,?,?,00000000,0047D5FD,?,?,?,00000000,?,0047D70E,00000000), ref: 0047D4A2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$CloseFileNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 2066263336-0
                                                                                                              • Opcode ID: b2c7b71d20f6e59f381effc7c5b6ff5d5103613db955826220e612b659a83145
                                                                                                              • Instruction ID: 2979fa4f850f67a6d1e6d53d287e6b8f4dfe67a5ddfa55c2aaa4ecb03bfc0e13
                                                                                                              • Opcode Fuzzy Hash: b2c7b71d20f6e59f381effc7c5b6ff5d5103613db955826220e612b659a83145
                                                                                                              • Instruction Fuzzy Hash: CA812D70D0024DAFDF11DFA5CC55ADFBBB9EF49308F5080AAE808A7291D6399A46CF54
                                                                                                              Function 0047581C Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042EE40: GetTickCount.KERNEL32 ref: 0042EE46
                                                                                                                • Part of subcall function 0042EC98: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECCD
                                                                                                              • GetLastError.KERNEL32(00000000,00475991,?,?,0049C1D0,00000000), ref: 0047587A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CountErrorFileLastMoveTick
                                                                                                              • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                                              • API String ID: 2406187244-2685451598
                                                                                                              • Opcode ID: 0a1b29da48a0e8fc9cf90d26d5d6551fdd5eac2558fd5f62cf07407676141883
                                                                                                              • Instruction ID: 8ae0701305b01ce1bca9537847079d861391bf026d2cb8563746cd807755024f
                                                                                                              • Opcode Fuzzy Hash: 0a1b29da48a0e8fc9cf90d26d5d6551fdd5eac2558fd5f62cf07407676141883
                                                                                                              • Instruction Fuzzy Hash: BB4166B0A006098FDB10EFA5D882ADE77B5EF48314F60853BE514BB351D7789A058BA9
                                                                                                              Function 00413D08 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDesktopWindow.USER32 ref: 00413D56
                                                                                                              • GetDesktopWindow.USER32 ref: 00413E0E
                                                                                                                • Part of subcall function 00418ED0: 6F9CC6F0.COMCTL32(?,00000000,00413FD3,00000000,004140E3,?,?,0049B628), ref: 00418EEC
                                                                                                                • Part of subcall function 00418ED0: ShowCursor.USER32(00000001,?,00000000,00413FD3,00000000,004140E3,?,?,0049B628), ref: 00418F09
                                                                                                              • SetCursor.USER32(00000000,?,?,?,?,00413B03,00000000,00413B16), ref: 00413E4C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CursorDesktopWindow$Show
                                                                                                              • String ID:
                                                                                                              • API String ID: 2074268717-0
                                                                                                              • Opcode ID: d2c454668ecaa59f130cbdc0d7f98644b71464a6bea9d144c6b553ceac200a13
                                                                                                              • Instruction ID: 95de96b99ba854305cf3f6c98da1fc171ffd9c3687d173b50ed20deed18b133b
                                                                                                              • Opcode Fuzzy Hash: d2c454668ecaa59f130cbdc0d7f98644b71464a6bea9d144c6b553ceac200a13
                                                                                                              • Instruction Fuzzy Hash: 59411F75600250AFC710DF2AFA85B5677E1EB64319F15817BE404CB365DB38AD81CF98
                                                                                                              Function 00408A5C Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A7D
                                                                                                              • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AEC
                                                                                                              • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B87
                                                                                                              • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BC6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LoadString$FileMessageModuleName
                                                                                                              • String ID:
                                                                                                              • API String ID: 704749118-0
                                                                                                              • Opcode ID: 951c1155a055777031086f0b90c3083af3c2960daf331f13f5541ebbba7c3e7d
                                                                                                              • Instruction ID: 11344639af0fa1b95b6fef638a25282c94d515b30ba3ed4b3402aedba36e13da
                                                                                                              • Opcode Fuzzy Hash: 951c1155a055777031086f0b90c3083af3c2960daf331f13f5541ebbba7c3e7d
                                                                                                              • Instruction Fuzzy Hash: 843133706083849ED330EA658945B9F77D89B85304F40483FF6C8D72D1DB79A9048B67
                                                                                                              Function 0044E8D4 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E91D
                                                                                                                • Part of subcall function 0044CF60: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF92
                                                                                                              • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E9A1
                                                                                                                • Part of subcall function 0042BBC4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBD8
                                                                                                              • IsRectEmpty.USER32(?), ref: 0044E963
                                                                                                              • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E986
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 855768636-0
                                                                                                              • Opcode ID: 919708f5ffdde2f57f521d6641e4cc0e1a287a75e8cdc9711807c6008472dbb9
                                                                                                              • Instruction ID: 03991ef50c1cdc1947edd1d0bf9da16660927dd763c0b41cb42d654f0fd6bbd7
                                                                                                              • Opcode Fuzzy Hash: 919708f5ffdde2f57f521d6641e4cc0e1a287a75e8cdc9711807c6008472dbb9
                                                                                                              • Instruction Fuzzy Hash: 47113871B5030027E250AA7A9C86B5B76899B88748F14093FB546EB3C7EE7DDC09429D
                                                                                                              Function 004952F4 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OffsetRect.USER32(?,?,00000000), ref: 00495358
                                                                                                              • OffsetRect.USER32(?,00000000,?), ref: 00495373
                                                                                                              • OffsetRect.USER32(?,?,00000000), ref: 0049538D
                                                                                                              • OffsetRect.USER32(?,00000000,?), ref: 004953A8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: OffsetRect
                                                                                                              • String ID:
                                                                                                              • API String ID: 177026234-0
                                                                                                              • Opcode ID: 39b7304c59ecfeab53ef959acea8ec35100b2c2eb9a0585a5ab9f65ef9bb45fe
                                                                                                              • Instruction ID: af1c1dfc71d00ff4a9a929e8d6bf6bfabc08d13bc1b1844b1e7d273cf48c6b2a
                                                                                                              • Opcode Fuzzy Hash: 39b7304c59ecfeab53ef959acea8ec35100b2c2eb9a0585a5ab9f65ef9bb45fe
                                                                                                              • Instruction Fuzzy Hash: 94217CB6700701ABD700DE69CD85E5BB7DEEBC4344F24CA2AF954C7249D634ED0487A6
                                                                                                              Function 00417228 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCursorPos.USER32 ref: 00417270
                                                                                                              • SetCursor.USER32(00000000), ref: 004172B3
                                                                                                              • GetLastActivePopup.USER32(?), ref: 004172DD
                                                                                                              • GetForegroundWindow.USER32(?), ref: 004172E4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 1959210111-0
                                                                                                              • Opcode ID: ab2bc15dd938f987afbfcd80c1a154205083a351e68354f3dc1a1c3122339836
                                                                                                              • Instruction ID: a2974bbdd40a4ad71efed6c963999b1e78101043f5dd1c0306289f7dfca9f025
                                                                                                              • Opcode Fuzzy Hash: ab2bc15dd938f987afbfcd80c1a154205083a351e68354f3dc1a1c3122339836
                                                                                                              • Instruction Fuzzy Hash: 4321A1313082018BCB20AB69E985AE733B1EF44754B0545ABF854CB352D73CDC82CB89
                                                                                                              Function 00494FAC Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MulDiv.KERNEL32(8B500000,00000008,?), ref: 00494FC1
                                                                                                              • MulDiv.KERNEL32(50142444,00000008,?), ref: 00494FD5
                                                                                                              • MulDiv.KERNEL32(F70577E8,00000008,?), ref: 00494FE9
                                                                                                              • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 00495007
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                                              • Instruction ID: c81a7ae82503e1df060b9d2e8e6c822c04bb2cec442f3182d8fec1f0f0e8f71f
                                                                                                              • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                                              • Instruction Fuzzy Hash: 48112472604204ABCF50DE99C8C4D9B7BECEF4D320B1541A6F918DB246D674DD408BA4
                                                                                                              Function 0041F490 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetClassInfoA.USER32(00400000,0041F480,?), ref: 0041F4B1
                                                                                                              • UnregisterClassA.USER32(0041F480,00400000), ref: 0041F4DA
                                                                                                              • RegisterClassA.USER32(00499598), ref: 0041F4E4
                                                                                                              • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F51F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 4025006896-0
                                                                                                              • Opcode ID: 17400656b2714228e1ab5d36733c826c34e0b7aebe27f437723bcf7a68a21383
                                                                                                              • Instruction ID: e8d232a05c88a2160d81946a52d6ac90de0a8bd7e5396313334bc6410d622602
                                                                                                              • Opcode Fuzzy Hash: 17400656b2714228e1ab5d36733c826c34e0b7aebe27f437723bcf7a68a21383
                                                                                                              • Instruction Fuzzy Hash: 7B011B722401047BDA10EB6DED81E9B3799D719314B11413BBA15E72A1D7369C154BAC
                                                                                                              Function 00454F68 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitForInputIdle.USER32(00000001,00000032), ref: 00454F94
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00454FB6
                                                                                                              • GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00454FC5
                                                                                                              • CloseHandle.KERNEL32(00000001,00454FF2,00454FEB,?,00000031,00000080,00000000,?,?,0045534B,00000080,0000003C,00000000,00455361), ref: 00454FE5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 4071923889-0
                                                                                                              • Opcode ID: 45540edf5afa8ba95db9dec670ac0957df4a9836c83591dc179b3e9a7f9926ac
                                                                                                              • Instruction ID: 44a5693fa59bfbe72ab063cfacecacb9b789a88f4d4f9747d0667cdf65a63c8e
                                                                                                              • Opcode Fuzzy Hash: 45540edf5afa8ba95db9dec670ac0957df4a9836c83591dc179b3e9a7f9926ac
                                                                                                              • Instruction Fuzzy Hash: 7201F9716046087EEB20979E8C06F6B7BACDF44774F610167F904DB2C2C6785D40C668
                                                                                                              Function 0040D210 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D227
                                                                                                              • LoadResource.KERNEL32(00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047C7C4,0000000A,REGDLL_EXE), ref: 0040D241
                                                                                                              • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047C7C4), ref: 0040D25B
                                                                                                              • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?), ref: 0040D265
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                                              • String ID:
                                                                                                              • API String ID: 3473537107-0
                                                                                                              • Opcode ID: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
                                                                                                              • Instruction ID: 8b55825d53d46818f15098a3aa340eb6897fe62b828c159971ec5f2842f97e2f
                                                                                                              • Opcode Fuzzy Hash: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
                                                                                                              • Instruction Fuzzy Hash: ADF062736046046F8704EE9DA881D5B77ECDE88364310017FF908EB246DA38DD018B78
                                                                                                              Function 0047009C Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,00000000), ref: 004700ED
                                                                                                              Strings
                                                                                                              • Unsetting NTFS compression on directory: %s, xrefs: 004700D3
                                                                                                              • Failed to set NTFS compression state (%d)., xrefs: 004700FE
                                                                                                              • Setting NTFS compression on directory: %s, xrefs: 004700BB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                                              • API String ID: 1452528299-1392080489
                                                                                                              • Opcode ID: dfebb939fa925478a91c01d20c19499446f2cbe0988f19a8e93b7205f6de1292
                                                                                                              • Instruction ID: 8e5543267561a70d3fbbbef991b1365390ff1382f756d9cdf86c8bb39141f558
                                                                                                              • Opcode Fuzzy Hash: dfebb939fa925478a91c01d20c19499446f2cbe0988f19a8e93b7205f6de1292
                                                                                                              • Instruction Fuzzy Hash: C9011730E0928C96CF05D7ADA0412DDBBF4DF4D314F84C1AFA45DE7282DA790609879A
                                                                                                              Function 00470848 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(?,00000000), ref: 00470899
                                                                                                              Strings
                                                                                                              • Failed to set NTFS compression state (%d)., xrefs: 004708AA
                                                                                                              • Setting NTFS compression on file: %s, xrefs: 00470867
                                                                                                              • Unsetting NTFS compression on file: %s, xrefs: 0047087F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                                              • API String ID: 1452528299-3038984924
                                                                                                              • Opcode ID: 323dc33fe38fce2a535158e710f937577eac4405a22a140b88caf43724a8761b
                                                                                                              • Instruction ID: 78fa65e16581c334b53b8e167e27839d8ecb3154876bc13dabe901d18edf2e93
                                                                                                              • Opcode Fuzzy Hash: 323dc33fe38fce2a535158e710f937577eac4405a22a140b88caf43724a8761b
                                                                                                              • Instruction Fuzzy Hash: 5C01F430D092489ADB04A7E9A4412EDBBF49F09314F45C1ABA459E7282DAB9050947DB
                                                                                                              Function 00455D88 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045BB12,?,?,?,?,?,00000000,0045BB39), ref: 00455DC4
                                                                                                              • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045BB12,?,?,?,?,?,00000000), ref: 00455DCD
                                                                                                              • RemoveFontResourceA.GDI32(00000000), ref: 00455DDA
                                                                                                              • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455DEE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                                              • String ID:
                                                                                                              • API String ID: 4283692357-0
                                                                                                              • Opcode ID: 5aa6bc1fef2ece3e1d74d37f8f7457d5ece9b91b834f41029562ebbb00b702db
                                                                                                              • Instruction ID: 88a6b2d0cd2ebf9d052afffcb5c4be27c29a8e8e48dcb03e602a07ae18d4e81c
                                                                                                              • Opcode Fuzzy Hash: 5aa6bc1fef2ece3e1d74d37f8f7457d5ece9b91b834f41029562ebbb00b702db
                                                                                                              • Instruction Fuzzy Hash: E3F05EB6B4470176EA10B6B69C8BF2B229C9F54745F10883BBA00EF2C3D97CDC04962D
                                                                                                              Function 0047CA00 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$CountSleepTick
                                                                                                              • String ID:
                                                                                                              • API String ID: 2227064392-0
                                                                                                              • Opcode ID: b259759894679f81c91e5f8e49ac887a4ee880673b8cc13734a950e5130029b9
                                                                                                              • Instruction ID: e9c2c7e2fc271270d41d52dba3350464f1e42bdffd51bbfd166b1ef271046f5a
                                                                                                              • Opcode Fuzzy Hash: b259759894679f81c91e5f8e49ac887a4ee880673b8cc13734a950e5130029b9
                                                                                                              • Instruction Fuzzy Hash: 93E02B7130964845CA24B2BE28C37BF4A88CB8536AB14453FF08CD6242C42C4D05956E
                                                                                                              Function 00478120 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E,?,?,?,?,?,004986AB,00000000), ref: 00478129
                                                                                                              • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E,?,?,?,?,?,004986AB), ref: 0047812F
                                                                                                              • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E), ref: 00478151
                                                                                                              • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E), ref: 00478162
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                                              • String ID:
                                                                                                              • API String ID: 215268677-0
                                                                                                              • Opcode ID: fbd84f65280b9b42d2110702e409595f627c02f938f534a1f8f22361ecaea6e1
                                                                                                              • Instruction ID: 3331d84468cd062744280f6e1aa24963878bc2b2d96e3aea022572b3ec77581d
                                                                                                              • Opcode Fuzzy Hash: fbd84f65280b9b42d2110702e409595f627c02f938f534a1f8f22361ecaea6e1
                                                                                                              • Instruction Fuzzy Hash: 70F030716843016BD600EAB5CC82E9B77DCEB44754F04893E7E98D72C1DA79DC08AB66
                                                                                                              Function 00424250 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastActivePopup.USER32(?), ref: 0042425C
                                                                                                              • IsWindowVisible.USER32(?), ref: 0042426D
                                                                                                              • IsWindowEnabled.USER32(?), ref: 00424277
                                                                                                              • SetForegroundWindow.USER32(?), ref: 00424281
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                                              • String ID:
                                                                                                              • API String ID: 2280970139-0
                                                                                                              • Opcode ID: 3290ed535df25d2f1ddaed747f1c047a4a496922c2b2cea1102cb49f09a67e5c
                                                                                                              • Instruction ID: cc3e18b4355afb8de1117362fa5ee1cc3bb5bcb08e60588071b409dab7082488
                                                                                                              • Opcode Fuzzy Hash: 3290ed535df25d2f1ddaed747f1c047a4a496922c2b2cea1102cb49f09a67e5c
                                                                                                              • Instruction Fuzzy Hash: DBE08691B02571929E71FA671881A9F018CCD45BE434602A7FD04F7243DB1CCC0041BC
                                                                                                              Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GlobalHandle.KERNEL32 ref: 00406287
                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0040628E
                                                                                                              • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00406299
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Global$AllocHandleLockUnlock
                                                                                                              • String ID:
                                                                                                              • API String ID: 2167344118-0
                                                                                                              • Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                                                              • Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
                                                                                                              • Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                                                              • Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D
                                                                                                              Function 0047A064 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047B8D5,?,00000000,00000000,00000001,00000000,0047A301,?,00000000), ref: 0047A2C5
                                                                                                              Strings
                                                                                                              • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A139
                                                                                                              • Failed to parse "reg" constant, xrefs: 0047A2CC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close
                                                                                                              • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                                              • API String ID: 3535843008-1938159461
                                                                                                              • Opcode ID: e0d6e35170bf7ee4b8178599f1d76f9c45a53d37f1d162d859c7bf4591e85c05
                                                                                                              • Instruction ID: 3bf0094b3715a844c7fa4d69accdb7e726d223c3dcefaf8b2e4f531663087c06
                                                                                                              • Opcode Fuzzy Hash: e0d6e35170bf7ee4b8178599f1d76f9c45a53d37f1d162d859c7bf4591e85c05
                                                                                                              • Instruction Fuzzy Hash: 5F814174E00149AFCB10DF95D881ADEBBF9EF48314F5081AAE814B7392D7389E05CB99
                                                                                                              Function 0048300C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetForegroundWindow.USER32(00000000,00483196,?,00000000,004831D7,?,?,?,?,00000000,00000000,00000000,?,0046C0D1), ref: 00483045
                                                                                                              • SetActiveWindow.USER32(?,00000000,00483196,?,00000000,004831D7,?,?,?,?,00000000,00000000,00000000,?,0046C0D1), ref: 00483057
                                                                                                              Strings
                                                                                                              • Will not restart Windows automatically., xrefs: 00483176
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ActiveForeground
                                                                                                              • String ID: Will not restart Windows automatically.
                                                                                                              • API String ID: 307657957-4169339592
                                                                                                              • Opcode ID: f35973b3444d63abd30155c0fb60d5d87605f2a8390df662fe53ad2e28820558
                                                                                                              • Instruction ID: df9a9ae9a8219d8b6a1298420550b74bcee7fa449f44545fa147fc9774bd32fa
                                                                                                              • Opcode Fuzzy Hash: f35973b3444d63abd30155c0fb60d5d87605f2a8390df662fe53ad2e28820558
                                                                                                              • Instruction Fuzzy Hash: A7413330208340AED710FFA4DC9AB6E3BA4DB15F05F1408B7E9404B3A2D6BD5A04DB1D
                                                                                                              Function 00402088 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,004021FC), ref: 004020CB
                                                                                                                • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0218A350,00001CAC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                                • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0218A350,00001CAC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                                • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0218A350,00001CAC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0218A350,00001CAC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                                              • String ID: `$k
                                                                                                              • API String ID: 296031713-2619231044
                                                                                                              • Opcode ID: 4b9225ab6ba6685e005fd9bf0415e9852399b88a9652eb18fdb70e0530e56136
                                                                                                              • Instruction ID: 30adadd309813d1a6846ca6b4958dbaac508113c784b73a5bb8d11bfdb372a30
                                                                                                              • Opcode Fuzzy Hash: 4b9225ab6ba6685e005fd9bf0415e9852399b88a9652eb18fdb70e0530e56136
                                                                                                              • Instruction Fuzzy Hash: 3941E3B2E00304DFDB10CF69EE8521A77A4F7A8324B15417FD854A77E2D3789801DB88
                                                                                                              Function 0046CEB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CFE0
                                                                                                              • Failed to proceed to next wizard page; aborting., xrefs: 0046CFCC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                                              • API String ID: 0-1974262853
                                                                                                              • Opcode ID: f8b0d9f73654ae948dfe63457d27392de8d2a8ebea4116114edd3800fcdd02ea
                                                                                                              • Instruction ID: 63d40b18a6e87dbc706e62a2b7ed59e25ea13cd94e581da409b3f01416405f56
                                                                                                              • Opcode Fuzzy Hash: f8b0d9f73654ae948dfe63457d27392de8d2a8ebea4116114edd3800fcdd02ea
                                                                                                              • Instruction Fuzzy Hash: 9A319E30A08244DFD711EB99D989BA977F6EB05308F1500FBF0489B392D779AE40CB1A
                                                                                                              Function 00478DB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegCloseKey.ADVAPI32(?,00478E9A,?,?,00000001,00000000,00000000,00478EB5), ref: 00478E83
                                                                                                              Strings
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478E0E
                                                                                                              • %s\%s_is1, xrefs: 00478E2C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen
                                                                                                              • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                              • API String ID: 47109696-1598650737
                                                                                                              • Opcode ID: 3c218534b7aea35313477da1420f505f75d4b79f6803eaf18b753309f41f968f
                                                                                                              • Instruction ID: 403b8390735a8e98fed73365c843d129082673b7d0193522817cb9849c55968d
                                                                                                              • Opcode Fuzzy Hash: 3c218534b7aea35313477da1420f505f75d4b79f6803eaf18b753309f41f968f
                                                                                                              • Instruction Fuzzy Hash: 79218470B40208AFDB01DFAACC55A9EBBE8EB48304F90847EE904E7381DB785D018A59
                                                                                                              Function 00450154 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501E9
                                                                                                              • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045021A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExecuteMessageSendShell
                                                                                                              • String ID: open
                                                                                                              • API String ID: 812272486-2758837156
                                                                                                              • Opcode ID: adeb5e276340ad6fa3d53176e38ffb5e58c1499704c489fbf40d86a9362c05b3
                                                                                                              • Instruction ID: 6e2feb9b457cb976a84d54f3b3258ed3b08e14d6ba220cef3ebd8abcd6e201e4
                                                                                                              • Opcode Fuzzy Hash: adeb5e276340ad6fa3d53176e38ffb5e58c1499704c489fbf40d86a9362c05b3
                                                                                                              • Instruction Fuzzy Hash: 62219474E40208AFDB00DFA5C886B9EB7F8EB44705F2081BAB514E7282D7789E05CB58
                                                                                                              Function 0045527C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ShellExecuteEx.SHELL32(0000003C), ref: 00455318
                                                                                                              • GetLastError.KERNEL32(0000003C,00000000,00455361,?,?,00000001,00000001), ref: 00455329
                                                                                                                • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                                              • String ID: <
                                                                                                              • API String ID: 893404051-4251816714
                                                                                                              • Opcode ID: 57012810d142c3df1a5160bec437aa7c33a0c7c828d826884eb3f35a8728d1b1
                                                                                                              • Instruction ID: ea799879bbb6ab716a70283d096866571a468ac1fa4b8cc73728b10af3e72d10
                                                                                                              • Opcode Fuzzy Hash: 57012810d142c3df1a5160bec437aa7c33a0c7c828d826884eb3f35a8728d1b1
                                                                                                              • Instruction Fuzzy Hash: 02215370A00609ABDB10DFA5D8926AE7BF8AF18355F50443AFC44E7281D7789949CB58
                                                                                                              Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                                                              • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                                                                • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0218A350,00001CAC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                                • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0218A350,00001CAC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                                • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0218A350,00001CAC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0218A350,00001CAC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                                              • String ID: )
                                                                                                              • API String ID: 2227675388-1084416617
                                                                                                              • Opcode ID: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                                                                              • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                                                              • Opcode Fuzzy Hash: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                                                                              • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                                                              Function 004964FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496539
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window
                                                                                                              • String ID: /INITPROCWND=$%x $@
                                                                                                              • API String ID: 2353593579-4169826103
                                                                                                              • Opcode ID: 552611a81f91654fc44d41bb0f0c519a98a2c07263e337a61ce07e3eab6c417a
                                                                                                              • Instruction ID: 8ac61a852f64af84e8a4d996ffe215da0ea6a1f7c0dd4c2642a2787a2d41e8fe
                                                                                                              • Opcode Fuzzy Hash: 552611a81f91654fc44d41bb0f0c519a98a2c07263e337a61ce07e3eab6c417a
                                                                                                              • Instruction Fuzzy Hash: C711A531A043089FDB01DF64E855BAE7BE8EB48324F52847BE404E7281DB3CE905CA58
                                                                                                              Function 00447424 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                              • SysFreeString.OLEAUT32(?), ref: 004474D6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: String$AllocByteCharFreeMultiWide
                                                                                                              • String ID: NIL Interface Exception$Unknown Method
                                                                                                              • API String ID: 3952431833-1023667238
                                                                                                              • Opcode ID: 258d3c6477c64922ebec54d5f4264d59c03dbf12c3c57b46792931bb3fd1eaaf
                                                                                                              • Instruction ID: aafd2560cbf8ba646f5ae6954b41d26adab4393ec7197c17a1bba45f9511721b
                                                                                                              • Opcode Fuzzy Hash: 258d3c6477c64922ebec54d5f4264d59c03dbf12c3c57b46792931bb3fd1eaaf
                                                                                                              • Instruction Fuzzy Hash: 0811D6306042049FEB10DFA59D42A6EBBACEB49704F91403AF504E7681C7789D01CB69
                                                                                                              Function 0042DD74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD88
                                                                                                              • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDC8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Value$EnumQuery
                                                                                                              • String ID: Inno Setup: No Icons
                                                                                                              • API String ID: 1576479698-2016326496
                                                                                                              • Opcode ID: e0e38617d7780f69d75f26860b1501b2527d54a68fe4bf3310a8a6dfd5a7631c
                                                                                                              • Instruction ID: 05ef73584c9e0c756a5fead926ccd29af3c260b6948a855c27afe474e1c18ecb
                                                                                                              • Opcode Fuzzy Hash: e0e38617d7780f69d75f26860b1501b2527d54a68fe4bf3310a8a6dfd5a7631c
                                                                                                              • Instruction Fuzzy Hash: B2012B36F5A77179F73046256D02BBB56888B82B60F68453BF940EA2C0D6589C04C36E
                                                                                                              Function 00497234 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004555D0: GetCurrentProcess.KERNEL32(00000028), ref: 004555DF
                                                                                                                • Part of subcall function 004555D0: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555E5
                                                                                                              • SetForegroundWindow.USER32(?), ref: 00497266
                                                                                                              Strings
                                                                                                              • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 00497291
                                                                                                              • Restarting Windows., xrefs: 00497243
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$CurrentForegroundOpenTokenWindow
                                                                                                              • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                                                                                              • API String ID: 3179053593-4147564754
                                                                                                              • Opcode ID: 699fd1f27132e499a72d678966239612eac8b61dfe9d57f4c88cf0c32b356d0f
                                                                                                              • Instruction ID: f042dff5c045186d33be5417afa4f05d679b9763972d2bb00463d131ea403ed4
                                                                                                              • Opcode Fuzzy Hash: 699fd1f27132e499a72d678966239612eac8b61dfe9d57f4c88cf0c32b356d0f
                                                                                                              • Instruction Fuzzy Hash: FD01D8706282406BEB00EB65E981B9C3F99AB5430CF5040BBF900A72D3D73C9945871D
                                                                                                              Function 004979D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0047CD84: FreeLibrary.KERNEL32(74AA0000,004814B7), ref: 0047CD9A
                                                                                                                • Part of subcall function 0047CA54: GetTickCount.KERNEL32 ref: 0047CA9E
                                                                                                                • Part of subcall function 004570CC: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004570EB
                                                                                                              • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049832B), ref: 00497A29
                                                                                                              • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049832B), ref: 00497A2F
                                                                                                              Strings
                                                                                                              • Detected restart. Removing temporary directory., xrefs: 004979E3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                                              • String ID: Detected restart. Removing temporary directory.
                                                                                                              • API String ID: 1717587489-3199836293
                                                                                                              • Opcode ID: e611eeaa9fed28cadb8c69ef2edffd8a52967f1f4ce985551ff58b7f7fd4f302
                                                                                                              • Instruction ID: 93f06bea8fcfa1b224d7ac257058da4e76460d04d1e35911cc499d3d1c0dfa98
                                                                                                              • Opcode Fuzzy Hash: e611eeaa9fed28cadb8c69ef2edffd8a52967f1f4ce985551ff58b7f7fd4f302
                                                                                                              • Instruction Fuzzy Hash: 51E0553120C3002EDA02B7B2BC52A2F7F8CD701728311083BF40882452C43D1810C77D
                                                                                                              Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(00000000,00498586), ref: 0040334B
                                                                                                              • GetCommandLineA.KERNEL32(00000000,00498586), ref: 00403356
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CommandHandleLineModule
                                                                                                              • String ID: 6i
                                                                                                              • API String ID: 2123368496-2055133051
                                                                                                              • Opcode ID: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                                                                              • Instruction ID: ff8fa06d391bd0b31f892a344b3e95d40f530220570fde7b1ba7fad45aeb04f1
                                                                                                              • Opcode Fuzzy Hash: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                                                                              • Instruction Fuzzy Hash: 45C002609013058AD754AF7579467162A94D751349F80447FF114BA3E1D77C82055BDD
                                                                                                              Function 00455660 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3605190189.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.3605100356.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605546328.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605635464.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605669938.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.3605697411.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_noode.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastSleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 1458359878-0
                                                                                                              • Opcode ID: 11e49af8eca5aab8e77903997d46822470632a6293514e89f51700c73713890d
                                                                                                              • Instruction ID: a2606c7dd4c17da0a3c90c20a229de96912268129783a4208f21052e6a4fbdd3
                                                                                                              • Opcode Fuzzy Hash: 11e49af8eca5aab8e77903997d46822470632a6293514e89f51700c73713890d
                                                                                                              • Instruction Fuzzy Hash: 62F02436B01D64578F20A59E998193F63DDEA94376750013BFC0CDB303D438CC098AA9

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:3.6%
                                                                                                              Dynamic/Decrypted Code Coverage:84%
                                                                                                              Signature Coverage:4%
                                                                                                              Total number of Nodes:2000
                                                                                                              Total number of Limit Nodes:41
                                                                                                              execution_graph 19681 2cf3cef 19682 2cf3cfd 19681->19682 19683 2cf3cf8 19681->19683 19687 2cf3d12 19682->19687 19695 2cfb8c1 19683->19695 19686 2cf3d0b 19688 2cf3d1e __commit 19687->19688 19692 2cf3d6c ___DllMainCRTStartup 19688->19692 19694 2cf3dc9 __commit 19688->19694 19699 2cf3b7d 19688->19699 19690 2cf3da6 19691 2cf3b7d __CRT_INIT@12 138 API calls 19690->19691 19690->19694 19691->19694 19692->19690 19693 2cf3b7d __CRT_INIT@12 138 API calls 19692->19693 19692->19694 19693->19690 19694->19686 19696 2cfb8e4 19695->19696 19697 2cfb8f1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 19695->19697 19696->19697 19698 2cfb8e8 19696->19698 19697->19698 19698->19682 19700 2cf3b89 __commit 19699->19700 19701 2cf3c0b 19700->19701 19702 2cf3b91 19700->19702 19704 2cf3c0f 19701->19704 19705 2cf3c74 19701->19705 19747 2cf81c6 GetProcessHeap 19702->19747 19709 2cf3c30 19704->19709 19740 2cf3b9a __commit __CRT_INIT@12 19704->19740 19848 2cf843b 19704->19848 19706 2cf3c79 19705->19706 19707 2cf3cd7 19705->19707 19710 2cf91ab __threadstartex@4 TlsGetValue 19706->19710 19707->19740 19879 2cf5c04 19707->19879 19708 2cf3b96 19708->19740 19748 2cf5d74 19708->19748 19851 2cf8312 RtlDecodePointer 19709->19851 19714 2cf3c84 19710->19714 19718 2cf8a4c __calloc_crt 59 API calls 19714->19718 19714->19740 19716 2cf3ba6 __RTC_Initialize 19724 2cf3bb6 GetCommandLineA 19716->19724 19716->19740 19720 2cf3c95 19718->19720 19719 2cf3c46 __CRT_INIT@12 19875 2cf3c5f 19719->19875 19725 2cf91ca __threadstartex@4 TlsSetValue 19720->19725 19720->19740 19721 2cfb55f __ioterm 60 API calls 19723 2cf3c41 19721->19723 19726 2cf5dea __mtterm 62 API calls 19723->19726 19769 2cfb95d GetEnvironmentStringsW 19724->19769 19728 2cf3cad 19725->19728 19726->19719 19730 2cf3ccb 19728->19730 19731 2cf3cb3 19728->19731 19734 2cf2f54 _free 59 API calls 19730->19734 19733 2cf5cc1 __initptd 59 API calls 19731->19733 19736 2cf3cbb GetCurrentThreadId 19733->19736 19734->19740 19735 2cf3bd0 19737 2cf3bd4 19735->19737 19801 2cfb5b1 19735->19801 19736->19740 19834 2cf5dea 19737->19834 19740->19692 19742 2cf3bf4 19742->19740 19843 2cfb55f 19742->19843 19747->19708 19887 2cf84e2 RtlEncodePointer 19748->19887 19750 2cf5d79 19892 2cf89fe 19750->19892 19753 2cf5d82 19754 2cf5dea __mtterm 62 API calls 19753->19754 19756 2cf5d87 19754->19756 19756->19716 19758 2cf5d9f 19759 2cf8a4c __calloc_crt 59 API calls 19758->19759 19760 2cf5dac 19759->19760 19761 2cf5de1 19760->19761 19762 2cf91ca __threadstartex@4 TlsSetValue 19760->19762 19763 2cf5dea __mtterm 62 API calls 19761->19763 19765 2cf5dc0 19762->19765 19764 2cf5de6 19763->19764 19764->19716 19765->19761 19766 2cf5dc6 19765->19766 19767 2cf5cc1 __initptd 59 API calls 19766->19767 19768 2cf5dce GetCurrentThreadId 19767->19768 19768->19716 19771 2cfb970 19769->19771 19774 2cf3bc6 19769->19774 19770 2cfb988 WideCharToMultiByte 19772 2cfb9da FreeEnvironmentStringsW 19770->19772 19773 2cfb9a3 19770->19773 19771->19770 19771->19771 19772->19774 19775 2cf8a94 __malloc_crt 59 API calls 19773->19775 19782 2cfb2ab 19774->19782 19776 2cfb9a9 19775->19776 19776->19772 19777 2cfb9b0 WideCharToMultiByte 19776->19777 19778 2cfb9cf FreeEnvironmentStringsW 19777->19778 19779 2cfb9c6 19777->19779 19778->19774 19780 2cf2f54 _free 59 API calls 19779->19780 19781 2cfb9cc 19780->19781 19781->19778 19783 2cfb2b7 __commit 19782->19783 19784 2cf88cd __lock 59 API calls 19783->19784 19785 2cfb2be 19784->19785 19786 2cf8a4c __calloc_crt 59 API calls 19785->19786 19788 2cfb2cf 19786->19788 19787 2cfb33a GetStartupInfoW 19795 2cfb34f 19787->19795 19798 2cfb47e 19787->19798 19788->19787 19789 2cfb2da __commit @_EH4_CallFilterFunc@8 19788->19789 19789->19735 19790 2cfb546 19900 2cfb556 19790->19900 19792 2cf8a4c __calloc_crt 59 API calls 19792->19795 19793 2cfb4cb GetStdHandle 19793->19798 19794 2cfb4de GetFileType 19794->19798 19795->19792 19796 2cfb39d 19795->19796 19795->19798 19797 2cfb3d1 GetFileType 19796->19797 19796->19798 19799 2cf91ec __mtinitlocks InitializeCriticalSectionAndSpinCount 19796->19799 19797->19796 19798->19790 19798->19793 19798->19794 19800 2cf91ec __mtinitlocks InitializeCriticalSectionAndSpinCount 19798->19800 19799->19796 19800->19798 19802 2cfb5bf 19801->19802 19803 2cfb5c4 GetModuleFileNameA 19801->19803 19910 2cf526a 19802->19910 19805 2cfb5f1 19803->19805 19904 2cfb664 19805->19904 19808 2cf8a94 __malloc_crt 59 API calls 19809 2cfb62a 19808->19809 19810 2cfb664 _parse_cmdline 59 API calls 19809->19810 19811 2cf3be0 19809->19811 19810->19811 19811->19742 19812 2cfb7e0 19811->19812 19813 2cfb7e9 19812->19813 19815 2cfb7ee _strlen 19812->19815 19814 2cf526a ___initmbctable 71 API calls 19813->19814 19814->19815 19816 2cf8a4c __calloc_crt 59 API calls 19815->19816 19819 2cf3be9 19815->19819 19824 2cfb824 _strlen 19816->19824 19817 2cfb876 19818 2cf2f54 _free 59 API calls 19817->19818 19818->19819 19819->19742 19828 2cf844a 19819->19828 19820 2cf8a4c __calloc_crt 59 API calls 19820->19824 19821 2cfb89d 19822 2cf2f54 _free 59 API calls 19821->19822 19822->19819 19824->19817 19824->19819 19824->19820 19824->19821 19825 2cfb8b4 19824->19825 20114 2cf6c9c 19824->20114 19826 2cf4ee5 __invoke_watson 8 API calls 19825->19826 19827 2cfb8c0 19826->19827 19829 2cf8456 __IsNonwritableInCurrentImage 19828->19829 20123 2cfd2bf 19829->20123 19831 2cf8474 __initterm_e 19832 2cf3384 __cinit 68 API calls 19831->19832 19833 2cf8493 __cinit __IsNonwritableInCurrentImage 19831->19833 19832->19833 19833->19742 19835 2cf5df4 19834->19835 19840 2cf5dfa 19834->19840 20126 2cf918c 19835->20126 19837 2cf8933 19841 2cf893f RtlDeleteCriticalSection 19837->19841 19842 2cf8952 19837->19842 19838 2cf8917 RtlDeleteCriticalSection 19839 2cf2f54 _free 59 API calls 19838->19839 19839->19840 19840->19837 19840->19838 19841->19837 19842->19740 19847 2cfb566 19843->19847 19844 2cfb5ae 19844->19737 19845 2cf2f54 _free 59 API calls 19845->19847 19846 2cfb57f RtlDeleteCriticalSection 19846->19847 19847->19844 19847->19845 19847->19846 19849 2cf8584 _doexit 59 API calls 19848->19849 19850 2cf8446 19849->19850 19850->19709 19852 2cf832c 19851->19852 19853 2cf833e 19851->19853 19852->19853 19855 2cf2f54 _free 59 API calls 19852->19855 19854 2cf2f54 _free 59 API calls 19853->19854 19856 2cf834b 19854->19856 19855->19852 19857 2cf836f 19856->19857 19860 2cf2f54 _free 59 API calls 19856->19860 19858 2cf2f54 _free 59 API calls 19857->19858 19859 2cf837b 19858->19859 19861 2cf2f54 _free 59 API calls 19859->19861 19860->19856 19862 2cf838c 19861->19862 19863 2cf2f54 _free 59 API calls 19862->19863 19864 2cf8397 19863->19864 19865 2cf83bc RtlEncodePointer 19864->19865 19867 2cf2f54 _free 59 API calls 19864->19867 19866 2cf83d1 19865->19866 19873 2cf83d7 19865->19873 19868 2cf2f54 _free 59 API calls 19866->19868 19872 2cf83bb 19867->19872 19868->19873 19869 2cf2f54 _free 59 API calls 19871 2cf83ed 19869->19871 19870 2cf3c35 19870->19719 19870->19721 19871->19870 19874 2cf2f54 _free 59 API calls 19871->19874 19872->19865 19873->19869 19873->19871 19874->19870 19876 2cf3c71 19875->19876 19877 2cf3c63 19875->19877 19876->19740 19877->19876 19878 2cf5dea __mtterm 62 API calls 19877->19878 19878->19876 19880 2cf5c37 19879->19880 19881 2cf5c11 19879->19881 19880->19740 19882 2cf5c1f 19881->19882 19883 2cf91ab __threadstartex@4 TlsGetValue 19881->19883 19884 2cf91ca __threadstartex@4 TlsSetValue 19882->19884 19883->19882 19885 2cf5c2f 19884->19885 20129 2cf5acf 19885->20129 19888 2cf84f3 __init_pointers __initp_misc_winsig 19887->19888 19899 2cf39e7 RtlEncodePointer 19888->19899 19890 2cf850b __init_pointers 19891 2cf925a 34 API calls 19890->19891 19891->19750 19893 2cf8a0a 19892->19893 19894 2cf91ec __mtinitlocks InitializeCriticalSectionAndSpinCount 19893->19894 19895 2cf5d7e 19893->19895 19894->19893 19895->19753 19896 2cf916e 19895->19896 19897 2cf5d94 19896->19897 19898 2cf9185 TlsAlloc 19896->19898 19897->19753 19897->19758 19899->19890 19903 2cf8a37 RtlLeaveCriticalSection 19900->19903 19902 2cfb55d 19902->19789 19903->19902 19906 2cfb686 19904->19906 19909 2cfb6ea 19906->19909 19914 2d015b6 19906->19914 19907 2cfb607 19907->19808 19907->19811 19908 2d015b6 _parse_cmdline 59 API calls 19908->19909 19909->19907 19909->19908 19911 2cf527a 19910->19911 19912 2cf5273 19910->19912 19911->19803 20002 2cf55c7 19912->20002 19917 2d0155c 19914->19917 19920 2cf225b 19917->19920 19921 2cf226c 19920->19921 19927 2cf22b9 19920->19927 19928 2cf5c3a 19921->19928 19924 2cf2299 19924->19927 19948 2cf5521 19924->19948 19927->19906 19929 2cf5c52 __getptd_noexit 59 API calls 19928->19929 19930 2cf5c40 19929->19930 19931 2cf2272 19930->19931 19932 2cf841f __amsg_exit 59 API calls 19930->19932 19931->19924 19933 2cf519f 19931->19933 19932->19931 19934 2cf51ab __commit 19933->19934 19935 2cf5c3a __CreateFrameInfo 59 API calls 19934->19935 19936 2cf51b4 19935->19936 19937 2cf51e3 19936->19937 19939 2cf51c7 19936->19939 19938 2cf88cd __lock 59 API calls 19937->19938 19940 2cf51ea 19938->19940 19941 2cf5c3a __CreateFrameInfo 59 API calls 19939->19941 19960 2cf521f 19940->19960 19943 2cf51cc 19941->19943 19946 2cf51da __commit 19943->19946 19947 2cf841f __amsg_exit 59 API calls 19943->19947 19946->19924 19947->19946 19949 2cf552d __commit 19948->19949 19950 2cf5c3a __CreateFrameInfo 59 API calls 19949->19950 19951 2cf5537 19950->19951 19952 2cf88cd __lock 59 API calls 19951->19952 19953 2cf5549 19951->19953 19958 2cf5567 19952->19958 19955 2cf5557 __commit 19953->19955 19957 2cf841f __amsg_exit 59 API calls 19953->19957 19954 2cf5594 19955->19927 19957->19955 19958->19954 19959 2cf2f54 _free 59 API calls 19958->19959 19959->19954 20003 2cf55d3 __commit 20002->20003 20004 2cf5c3a __CreateFrameInfo 59 API calls 20003->20004 20005 2cf55db 20004->20005 20006 2cf5521 _LocaleUpdate::_LocaleUpdate 59 API calls 20005->20006 20007 2cf55e5 20006->20007 20027 2cf52c2 20007->20027 20010 2cf8a94 __malloc_crt 59 API calls 20011 2cf5607 20010->20011 20012 2cf5734 __commit 20011->20012 20034 2cf576f 20011->20034 20012->19911 20028 2cf225b _LocaleUpdate::_LocaleUpdate 59 API calls 20027->20028 20029 2cf52d2 20028->20029 20030 2cf52f3 20029->20030 20031 2cf52e1 GetOEMCP 20029->20031 20032 2cf530a 20030->20032 20033 2cf52f8 GetACP 20030->20033 20031->20032 20032->20010 20032->20012 20033->20032 20035 2cf52c2 getSystemCP 61 API calls 20034->20035 20036 2cf578c 20035->20036 20039 2cf57dd IsValidCodePage 20036->20039 20041 2cf5793 setSBCS 20036->20041 20043 2cf5802 _memset __setmbcp_nolock 20036->20043 20039->20041 20115 2cf6ca7 20114->20115 20117 2cf6cb5 20114->20117 20115->20117 20121 2cf6ccb 20115->20121 20116 2cf5e3b __commit 59 API calls 20118 2cf6cbc 20116->20118 20117->20116 20119 2cf4ed5 __commit 9 API calls 20118->20119 20120 2cf6cc6 20119->20120 20120->19824 20121->20120 20122 2cf5e3b __commit 59 API calls 20121->20122 20122->20118 20124 2cfd2c2 RtlEncodePointer 20123->20124 20124->20124 20125 2cfd2dc 20124->20125 20125->19831 20127 2cf919f 20126->20127 20128 2cf91a3 TlsFree 20126->20128 20127->19840 20128->19840 20130 2cf5adb __commit 20129->20130 20131 2cf5af4 20130->20131 20132 2cf2f54 _free 59 API calls 20130->20132 20134 2cf5be3 __commit 20130->20134 20133 2cf5b03 20131->20133 20135 2cf2f54 _free 59 API calls 20131->20135 20132->20131 20136 2cf5b12 20133->20136 20137 2cf2f54 _free 59 API calls 20133->20137 20134->19880 20135->20133 20138 2cf5b21 20136->20138 20140 2cf2f54 _free 59 API calls 20136->20140 20137->20136 20139 2cf5b30 20138->20139 20141 2cf2f54 _free 59 API calls 20138->20141 20142 2cf5b3f 20139->20142 20143 2cf2f54 _free 59 API calls 20139->20143 20140->20138 20141->20139 20144 2cf5b4e 20142->20144 20145 2cf2f54 _free 59 API calls 20142->20145 20143->20142 20146 2cf5b60 20144->20146 20148 2cf2f54 _free 59 API calls 20144->20148 20145->20144 20147 2cf88cd __lock 59 API calls 20146->20147 20149 2cf5b68 20147->20149 20148->20146 20152 2cf2f54 _free 59 API calls 20149->20152 20154 2cf5b8b 20149->20154 20152->20154 20153 2cf88cd __lock 59 API calls 20159 2cf5b9f ___removelocaleref 20153->20159 20161 2cf5bef 20154->20161 20155 2cf5bd0 20164 2cf5bfb 20155->20164 20158 2cf2f54 _free 59 API calls 20158->20134 20159->20155 20160 2cf4fa5 ___freetlocinfo 59 API calls 20159->20160 20160->20155 20167 2cf8a37 RtlLeaveCriticalSection 20161->20167 20163 2cf5b98 20163->20153 20168 2cf8a37 RtlLeaveCriticalSection 20164->20168 20166 2cf5bdd 20166->20158 20167->20163 20168->20166 19042 2d4f515 19043 2d52987 ReadFile 19042->19043 19045 402242 19046 402268 LoadLibraryExA 19045->19046 19047 40252e 19046->19047 19048 402142 19049 402147 19048->19049 19050 40d7b2 CopyFileA 19049->19050 19051 40d852 19050->19051 19052 402543 RegCreateKeyExA 19053 4027ca 19052->19053 19054 2ce104d 19059 2cf3384 19054->19059 19065 2cf3288 19059->19065 19061 2ce1057 19062 2ce1aa9 InterlockedIncrement 19061->19062 19063 2ce105c 19062->19063 19064 2ce1ac5 WSAStartup InterlockedExchange 19062->19064 19064->19063 19066 2cf3294 __commit 19065->19066 19073 2cf8572 19066->19073 19072 2cf32bb __commit 19072->19061 19090 2cf88cd 19073->19090 19075 2cf329d 19076 2cf32cc RtlDecodePointer RtlDecodePointer 19075->19076 19077 2cf32a9 19076->19077 19078 2cf32f9 19076->19078 19087 2cf32c6 19077->19087 19078->19077 19389 2cf913d 19078->19389 19080 2cf335c RtlEncodePointer RtlEncodePointer 19080->19077 19081 2cf330b 19081->19080 19082 2cf3330 19081->19082 19396 2cf8adb 19081->19396 19082->19077 19084 2cf8adb __realloc_crt 62 API calls 19082->19084 19085 2cf334a RtlEncodePointer 19082->19085 19086 2cf3344 19084->19086 19085->19080 19086->19077 19086->19085 19423 2cf857b 19087->19423 19091 2cf88de 19090->19091 19092 2cf88f1 RtlEnterCriticalSection 19090->19092 19097 2cf8955 19091->19097 19092->19075 19094 2cf88e4 19094->19092 19119 2cf841f 19094->19119 19098 2cf8961 __commit 19097->19098 19099 2cf8980 19098->19099 19126 2cf86b3 19098->19126 19108 2cf89a3 __commit 19099->19108 19173 2cf8a94 19099->19173 19105 2cf8976 19170 2cf82fc 19105->19170 19106 2cf899e 19178 2cf5e3b 19106->19178 19107 2cf89ad 19111 2cf88cd __lock 59 API calls 19107->19111 19108->19094 19112 2cf89b4 19111->19112 19113 2cf89d9 19112->19113 19114 2cf89c1 19112->19114 19184 2cf2f54 19113->19184 19181 2cf91ec 19114->19181 19117 2cf89cd 19190 2cf89f5 19117->19190 19120 2cf86b3 __FF_MSGBANNER 59 API calls 19119->19120 19121 2cf8427 19120->19121 19122 2cf8710 __NMSG_WRITE 59 API calls 19121->19122 19123 2cf842f 19122->19123 19359 2cf84ce 19123->19359 19193 2d0015e 19126->19193 19128 2cf86ba 19129 2cf86c7 19128->19129 19131 2d0015e __NMSG_WRITE 59 API calls 19128->19131 19130 2cf8710 __NMSG_WRITE 59 API calls 19129->19130 19134 2cf86e9 19129->19134 19132 2cf86df 19130->19132 19131->19129 19133 2cf8710 __NMSG_WRITE 59 API calls 19132->19133 19133->19134 19135 2cf8710 19134->19135 19136 2cf872e __NMSG_WRITE 19135->19136 19137 2d0015e __NMSG_WRITE 55 API calls 19136->19137 19169 2cf8855 19136->19169 19139 2cf8741 19137->19139 19141 2cf885a GetStdHandle 19139->19141 19142 2d0015e __NMSG_WRITE 55 API calls 19139->19142 19140 2cf88be 19140->19105 19143 2cf8868 _strlen 19141->19143 19141->19169 19144 2cf8752 19142->19144 19147 2cf88a1 WriteFile 19143->19147 19143->19169 19144->19141 19145 2cf8764 19144->19145 19145->19169 19215 2cff51d 19145->19215 19147->19169 19149 2cf88c2 19152 2cf4ee5 __invoke_watson 8 API calls 19149->19152 19150 2cf8791 GetModuleFileNameW 19151 2cf87b1 19150->19151 19156 2cf87c1 __NMSG_WRITE 19150->19156 19154 2cff51d __NMSG_WRITE 55 API calls 19151->19154 19153 2cf88cc 19152->19153 19155 2cf88f1 RtlEnterCriticalSection 19153->19155 19158 2cf8955 __mtinitlocknum 55 API calls 19153->19158 19154->19156 19155->19105 19156->19149 19157 2cf8807 19156->19157 19224 2cff592 19156->19224 19157->19149 19233 2cff4b1 19157->19233 19160 2cf88e4 19158->19160 19160->19155 19163 2cf841f __amsg_exit 55 API calls 19160->19163 19165 2cf88f0 19163->19165 19164 2cff4b1 __NMSG_WRITE 55 API calls 19166 2cf883e 19164->19166 19165->19155 19166->19149 19167 2cf8845 19166->19167 19242 2d0019e RtlEncodePointer 19167->19242 19267 2cf452b 19169->19267 19282 2cf82c8 GetModuleHandleExW 19170->19282 19176 2cf8aa2 19173->19176 19175 2cf8997 19175->19106 19175->19107 19176->19175 19285 2cf2f8c 19176->19285 19302 2cf94e5 Sleep 19176->19302 19305 2cf5c52 GetLastError 19178->19305 19180 2cf5e40 19180->19108 19182 2cf91fc 19181->19182 19183 2cf9209 InitializeCriticalSectionAndSpinCount 19181->19183 19182->19117 19183->19117 19185 2cf2f5d HeapFree 19184->19185 19186 2cf2f86 _free 19184->19186 19185->19186 19187 2cf2f72 19185->19187 19186->19117 19188 2cf5e3b __commit 57 API calls 19187->19188 19189 2cf2f78 GetLastError 19188->19189 19189->19186 19358 2cf8a37 RtlLeaveCriticalSection 19190->19358 19192 2cf89fc 19192->19108 19194 2d00168 19193->19194 19195 2d00172 19194->19195 19196 2cf5e3b __commit 59 API calls 19194->19196 19195->19128 19197 2d0018e 19196->19197 19200 2cf4ed5 19197->19200 19203 2cf4eaa RtlDecodePointer 19200->19203 19204 2cf4ebd 19203->19204 19209 2cf4ee5 IsProcessorFeaturePresent 19204->19209 19207 2cf4eaa __commit 8 API calls 19208 2cf4ee1 19207->19208 19208->19128 19210 2cf4ef0 19209->19210 19211 2cf4d78 __call_reportfault 7 API calls 19210->19211 19212 2cf4f05 19211->19212 19213 2cf94f3 __invoke_watson GetCurrentProcess TerminateProcess 19212->19213 19214 2cf4ed4 19213->19214 19214->19207 19216 2cff536 19215->19216 19217 2cff528 19215->19217 19218 2cf5e3b __commit 59 API calls 19216->19218 19217->19216 19221 2cff54f 19217->19221 19223 2cff540 19218->19223 19219 2cf4ed5 __commit 9 API calls 19220 2cf8784 19219->19220 19220->19149 19220->19150 19221->19220 19222 2cf5e3b __commit 59 API calls 19221->19222 19222->19223 19223->19219 19228 2cff5a0 19224->19228 19225 2cff5a4 19226 2cff5a9 19225->19226 19227 2cf5e3b __commit 59 API calls 19225->19227 19226->19157 19229 2cff5d4 19227->19229 19228->19225 19228->19226 19231 2cff5e3 19228->19231 19230 2cf4ed5 __commit 9 API calls 19229->19230 19230->19226 19231->19226 19232 2cf5e3b __commit 59 API calls 19231->19232 19232->19229 19235 2cff4cb 19233->19235 19238 2cff4bd 19233->19238 19234 2cf5e3b __commit 59 API calls 19236 2cff4d5 19234->19236 19235->19234 19237 2cf4ed5 __commit 9 API calls 19236->19237 19239 2cf8827 19237->19239 19238->19235 19240 2cff4f7 19238->19240 19239->19149 19239->19164 19240->19239 19241 2cf5e3b __commit 59 API calls 19240->19241 19241->19236 19243 2d001d2 ___crtIsPackagedApp 19242->19243 19244 2d00291 IsDebuggerPresent 19243->19244 19245 2d001e1 LoadLibraryExW 19243->19245 19248 2d002b6 19244->19248 19249 2d0029b 19244->19249 19246 2d001f8 GetLastError 19245->19246 19247 2d0021e GetProcAddress 19245->19247 19252 2d00207 LoadLibraryExW 19246->19252 19257 2d002ae 19246->19257 19253 2d00232 7 API calls 19247->19253 19247->19257 19250 2d002a9 19248->19250 19251 2d002bb RtlDecodePointer 19248->19251 19249->19250 19254 2d002a2 OutputDebugStringW 19249->19254 19250->19257 19258 2d002e2 RtlDecodePointer RtlDecodePointer 19250->19258 19266 2d002fa 19250->19266 19251->19257 19252->19247 19252->19257 19255 2d0027a GetProcAddress RtlEncodePointer 19253->19255 19256 2d0028e 19253->19256 19254->19250 19255->19256 19256->19244 19261 2cf452b ___crt_atoflt_l 6 API calls 19257->19261 19258->19266 19259 2d00332 RtlDecodePointer 19260 2d0031e RtlDecodePointer 19259->19260 19262 2d00339 19259->19262 19260->19257 19263 2d00380 19261->19263 19262->19260 19265 2d0034a RtlDecodePointer 19262->19265 19263->19169 19265->19260 19266->19259 19266->19260 19268 2cf4535 IsProcessorFeaturePresent 19267->19268 19269 2cf4533 19267->19269 19271 2cf956f 19268->19271 19269->19140 19274 2cf951e IsDebuggerPresent 19271->19274 19275 2cf9533 __call_reportfault 19274->19275 19280 2cf9508 SetUnhandledExceptionFilter UnhandledExceptionFilter 19275->19280 19277 2cf953b __call_reportfault 19281 2cf94f3 GetCurrentProcess TerminateProcess 19277->19281 19279 2cf9558 19279->19140 19280->19277 19281->19279 19283 2cf82f3 ExitProcess 19282->19283 19284 2cf82e1 GetProcAddress 19282->19284 19284->19283 19286 2cf3007 19285->19286 19299 2cf2f98 19285->19299 19287 2cf81e3 __calloc_impl RtlDecodePointer 19286->19287 19288 2cf300d 19287->19288 19289 2cf5e3b __commit 58 API calls 19288->19289 19301 2cf2fff 19289->19301 19290 2cf86b3 __FF_MSGBANNER 58 API calls 19298 2cf2fa3 19290->19298 19291 2cf2fcb RtlAllocateHeap 19291->19299 19291->19301 19292 2cf8710 __NMSG_WRITE 58 API calls 19292->19298 19293 2cf2ff3 19296 2cf5e3b __commit 58 API calls 19293->19296 19294 2cf82fc _malloc 3 API calls 19294->19298 19297 2cf2ff1 19296->19297 19300 2cf5e3b __commit 58 API calls 19297->19300 19298->19290 19298->19292 19298->19294 19298->19299 19299->19291 19299->19293 19299->19297 19299->19298 19303 2cf81e3 RtlDecodePointer 19299->19303 19300->19301 19301->19176 19302->19176 19304 2cf81f6 19303->19304 19304->19299 19319 2cf91ab 19305->19319 19307 2cf5c67 19308 2cf5cb5 SetLastError 19307->19308 19322 2cf8a4c 19307->19322 19308->19180 19312 2cf5c8e 19313 2cf5cac 19312->19313 19314 2cf5c94 19312->19314 19316 2cf2f54 _free 56 API calls 19313->19316 19331 2cf5cc1 19314->19331 19317 2cf5cb2 19316->19317 19317->19308 19318 2cf5c9c GetCurrentThreadId 19318->19308 19320 2cf91be 19319->19320 19321 2cf91c2 TlsGetValue 19319->19321 19320->19307 19321->19307 19323 2cf8a53 19322->19323 19325 2cf5c7a 19323->19325 19327 2cf8a71 19323->19327 19341 2d00498 19323->19341 19325->19308 19328 2cf91ca 19325->19328 19327->19323 19327->19325 19349 2cf94e5 Sleep 19327->19349 19329 2cf91e4 TlsSetValue 19328->19329 19330 2cf91e0 19328->19330 19329->19312 19330->19312 19332 2cf5ccd __commit 19331->19332 19333 2cf88cd __lock 59 API calls 19332->19333 19334 2cf5d0a 19333->19334 19350 2cf5d62 19334->19350 19337 2cf88cd __lock 59 API calls 19338 2cf5d2b ___addlocaleref 19337->19338 19353 2cf5d6b 19338->19353 19340 2cf5d56 __commit 19340->19318 19342 2d004a3 19341->19342 19347 2d004be 19341->19347 19343 2d004af 19342->19343 19342->19347 19345 2cf5e3b __commit 58 API calls 19343->19345 19344 2d004ce RtlAllocateHeap 19346 2d004b4 19344->19346 19344->19347 19345->19346 19346->19323 19347->19344 19347->19346 19348 2cf81e3 __calloc_impl RtlDecodePointer 19347->19348 19348->19347 19349->19327 19356 2cf8a37 RtlLeaveCriticalSection 19350->19356 19352 2cf5d24 19352->19337 19357 2cf8a37 RtlLeaveCriticalSection 19353->19357 19355 2cf5d72 19355->19340 19356->19352 19357->19355 19358->19192 19362 2cf8584 19359->19362 19361 2cf843a 19363 2cf8590 __commit 19362->19363 19364 2cf88cd __lock 52 API calls 19363->19364 19365 2cf8597 19364->19365 19366 2cf85c5 RtlDecodePointer 19365->19366 19369 2cf8650 __cinit 19365->19369 19368 2cf85dc RtlDecodePointer 19366->19368 19366->19369 19375 2cf85ec 19368->19375 19382 2cf869e 19369->19382 19370 2cf86ad __commit 19370->19361 19373 2cf85f9 RtlEncodePointer 19373->19375 19374 2cf8695 19376 2cf869e 19374->19376 19377 2cf82fc _malloc 3 API calls 19374->19377 19375->19369 19375->19373 19378 2cf8609 RtlDecodePointer RtlEncodePointer 19375->19378 19379 2cf86ab 19376->19379 19387 2cf8a37 RtlLeaveCriticalSection 19376->19387 19377->19376 19381 2cf861b RtlDecodePointer RtlDecodePointer 19378->19381 19379->19361 19381->19375 19383 2cf867e 19382->19383 19384 2cf86a4 19382->19384 19383->19370 19386 2cf8a37 RtlLeaveCriticalSection 19383->19386 19388 2cf8a37 RtlLeaveCriticalSection 19384->19388 19386->19374 19387->19379 19388->19383 19390 2cf915b RtlSizeHeap 19389->19390 19391 2cf9146 19389->19391 19390->19081 19392 2cf5e3b __commit 59 API calls 19391->19392 19393 2cf914b 19392->19393 19394 2cf4ed5 __commit 9 API calls 19393->19394 19395 2cf9156 19394->19395 19395->19081 19398 2cf8ae2 19396->19398 19399 2cf8b1f 19398->19399 19401 2d00384 19398->19401 19422 2cf94e5 Sleep 19398->19422 19399->19082 19402 2d00398 19401->19402 19403 2d0038d 19401->19403 19405 2d003a0 19402->19405 19414 2d003ad 19402->19414 19404 2cf2f8c _malloc 59 API calls 19403->19404 19406 2d00395 19404->19406 19407 2cf2f54 _free 59 API calls 19405->19407 19406->19398 19421 2d003a8 _free 19407->19421 19408 2d003e5 19409 2cf81e3 __calloc_impl RtlDecodePointer 19408->19409 19411 2d003eb 19409->19411 19410 2d003b5 RtlReAllocateHeap 19410->19414 19410->19421 19412 2cf5e3b __commit 59 API calls 19411->19412 19412->19421 19413 2d00415 19415 2cf5e3b __commit 59 API calls 19413->19415 19414->19408 19414->19410 19414->19413 19416 2cf81e3 __calloc_impl RtlDecodePointer 19414->19416 19418 2d003fd 19414->19418 19417 2d0041a GetLastError 19415->19417 19416->19414 19417->19421 19419 2cf5e3b __commit 59 API calls 19418->19419 19420 2d00402 GetLastError 19419->19420 19420->19421 19421->19398 19422->19398 19426 2cf8a37 RtlLeaveCriticalSection 19423->19426 19425 2cf32cb 19425->19072 19426->19425 19427 40d203 19428 40d20a lstrcmpiW 19427->19428 19430 40d58b 19428->19430 19431 4027c4 RegCloseKey 19432 4027ca 19431->19432 19433 2ce648b RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 19434 2ce64f3 GetTickCount 19433->19434 19511 2ce42c7 19433->19511 19512 2ce605a 19434->19512 19513 2cf2f8c _malloc 59 API calls 19512->19513 19514 2ce606d 19513->19514 20169 2ce72ab InternetOpenA 20170 2ce72c9 InternetSetOptionA InternetSetOptionA InternetSetOptionA 20169->20170 20192 2ce66f4 _memset shared_ptr 20169->20192 20176 2ce7342 _memset 20170->20176 20171 2ce7322 InternetOpenUrlA 20172 2ce7382 InternetCloseHandle 20171->20172 20171->20176 20172->20192 20173 2ce7346 InternetReadFile 20173->20176 20177 2ce7377 InternetCloseHandle 20173->20177 20174 2ce6708 Sleep 20175 2ce670e RtlEnterCriticalSection RtlLeaveCriticalSection 20174->20175 20175->20192 20176->20171 20176->20173 20177->20172 20178 2ce73e9 RtlEnterCriticalSection RtlLeaveCriticalSection 20215 2cf231c 20178->20215 20180 2cf231c 66 API calls 20180->20192 20181 2cf2f8c _malloc 59 API calls 20182 2ce749d RtlEnterCriticalSection RtlLeaveCriticalSection 20181->20182 20182->20192 20183 2ce776a RtlEnterCriticalSection RtlLeaveCriticalSection 20183->20192 20187 2ce78e2 RtlEnterCriticalSection 20188 2ce790f RtlLeaveCriticalSection 20187->20188 20187->20192 20305 2ce3c67 20188->20305 20191 2cf2f8c 59 API calls _malloc 20191->20192 20192->20169 20192->20174 20192->20175 20192->20178 20192->20180 20192->20181 20192->20183 20192->20187 20192->20188 20192->20191 20195 2cf2f54 59 API calls _free 20192->20195 20197 2cea6fb 73 API calls 20192->20197 20198 2cf3b2c _Allocate 60 API calls 20192->20198 20204 2cf35c6 60 API calls _strtok 20192->20204 20208 2ce76ec Sleep 20192->20208 20209 2ce76e7 shared_ptr 20192->20209 20212 2ce61f5 20192->20212 20225 2cf2830 20192->20225 20228 2ce970d 20192->20228 20235 2cea825 20192->20235 20239 2ce5119 20192->20239 20268 2ceabe5 20192->20268 20282 2ce4100 20192->20282 20286 2cf23f8 20192->20286 20297 2ce1ba7 20192->20297 20312 2ce3d7e 20192->20312 20319 2ce8311 20192->20319 20325 2ced0ed 20192->20325 20330 2ce83c0 20192->20330 20338 2ce33b2 20192->20338 20345 2ce8fd9 20192->20345 20352 2ce534d 20192->20352 20195->20192 20197->20192 20198->20192 20204->20192 20278 2cf18d0 20208->20278 20209->20208 20213 2cf2f8c _malloc 59 API calls 20212->20213 20214 2ce6208 20213->20214 20216 2cf2328 20215->20216 20217 2cf234b 20215->20217 20216->20217 20219 2cf232e 20216->20219 20362 2cf2363 20217->20362 20220 2cf5e3b __commit 59 API calls 20219->20220 20222 2cf2333 20220->20222 20221 2cf235e 20221->20192 20223 2cf4ed5 __commit 9 API calls 20222->20223 20224 2cf233e 20223->20224 20224->20192 20372 2cf284e 20225->20372 20227 2cf2849 20227->20192 20229 2ce9717 __EH_prolog 20228->20229 20230 2ce1ba7 4 API calls 20229->20230 20231 2ce976c 20230->20231 20232 2ce9789 RtlEnterCriticalSection 20231->20232 20233 2ce97a7 RtlLeaveCriticalSection 20232->20233 20234 2ce97a4 20232->20234 20233->20192 20234->20233 20236 2cea82f __EH_prolog 20235->20236 20378 2cedfd6 20236->20378 20238 2cea84d shared_ptr 20238->20192 20240 2ce5123 __EH_prolog 20239->20240 20382 2cf0af0 20240->20382 20243 2ce3c67 72 API calls 20244 2ce514a 20243->20244 20245 2ce3d7e 64 API calls 20244->20245 20246 2ce5158 20245->20246 20247 2ce8311 89 API calls 20246->20247 20248 2ce516c 20247->20248 20267 2ce5322 shared_ptr 20248->20267 20386 2cea6fb 20248->20386 20251 2ce51f6 20253 2cea6fb 73 API calls 20251->20253 20252 2ce51c4 20254 2cea6fb 73 API calls 20252->20254 20256 2ce5207 20253->20256 20255 2ce51d4 20254->20255 20259 2cea6fb 73 API calls 20255->20259 20255->20267 20257 2cea6fb 73 API calls 20256->20257 20256->20267 20258 2ce524a 20257->20258 20261 2cea6fb 73 API calls 20258->20261 20258->20267 20260 2ce52b4 20259->20260 20262 2cea6fb 73 API calls 20260->20262 20260->20267 20261->20255 20263 2ce52da 20262->20263 20264 2cea6fb 73 API calls 20263->20264 20263->20267 20265 2ce5304 20264->20265 20391 2ceceaf 20265->20391 20267->20192 20269 2ceabef __EH_prolog 20268->20269 20442 2ced0c4 20269->20442 20271 2ceac10 shared_ptr 20445 2cf20d0 20271->20445 20273 2ceac27 20274 2ceac3d 20273->20274 20451 2ce3fb0 20273->20451 20274->20192 20279 2cf18dd 20278->20279 20280 2cf1901 20278->20280 20279->20280 20281 2cf18f1 GetProcessHeap HeapFree 20279->20281 20280->20192 20281->20280 20283 2ce4112 20282->20283 20285 2ce4118 20282->20285 20698 2cea6d9 20283->20698 20285->20192 20287 2cf2429 20286->20287 20288 2cf2414 20286->20288 20287->20288 20289 2cf2430 20287->20289 20290 2cf5e3b __commit 59 API calls 20288->20290 20700 2cf6030 20289->20700 20292 2cf2419 20290->20292 20293 2cf4ed5 __commit 9 API calls 20292->20293 20295 2cf2424 20293->20295 20295->20192 20925 2d053d0 20297->20925 20299 2ce1bb1 RtlEnterCriticalSection 20300 2ce1be9 RtlLeaveCriticalSection 20299->20300 20303 2ce1bd1 20299->20303 20301 2ce1bfa RtlEnterCriticalSection 20300->20301 20304 2ce1c22 20301->20304 20302 2ce1c55 RtlLeaveCriticalSection 20302->20192 20303->20300 20303->20302 20304->20302 20306 2cf0af0 Mailbox 68 API calls 20305->20306 20307 2ce3c7e 20306->20307 20926 2ce3ca2 20307->20926 20313 2ce3dcb htons 20312->20313 20314 2ce3d99 htons 20312->20314 20978 2ce3c16 20313->20978 20972 2ce3bd3 20314->20972 20318 2ce3ded 20318->20192 20320 2ce8329 20319->20320 20324 2ce834a 20319->20324 21009 2ce95d3 20320->21009 20323 2ce836f 20323->20192 20324->20323 21012 2ce2ac7 20324->21012 20326 2cf0af0 Mailbox 68 API calls 20325->20326 20329 2ced103 20326->20329 20327 2ced1f1 20327->20192 20328 2ce2db5 73 API calls 20328->20329 20329->20327 20329->20328 20331 2ce83db WSASetLastError shutdown 20330->20331 20332 2ce83cb 20330->20332 20334 2cea4df 69 API calls 20331->20334 20333 2cf0af0 Mailbox 68 API calls 20332->20333 20336 2ce83d0 20333->20336 20335 2ce83f8 20334->20335 20335->20336 20337 2cf0af0 Mailbox 68 API calls 20335->20337 20336->20192 20337->20336 20339 2ce33c4 InterlockedCompareExchange 20338->20339 20340 2ce33e1 20338->20340 20339->20340 20342 2ce33d6 20339->20342 20341 2ce29ee 76 API calls 20340->20341 20344 2ce33f1 20341->20344 21106 2ce32ab 20342->21106 20344->20192 20346 2ce8fe3 __EH_prolog 20345->20346 21154 2ce373f 20346->21154 20348 2ce8ffd RtlEnterCriticalSection 20349 2ce900c RtlLeaveCriticalSection 20348->20349 20351 2ce9046 20349->20351 20351->20192 20353 2cf2f8c _malloc 59 API calls 20352->20353 20354 2ce5362 SHGetSpecialFolderPathA 20353->20354 20355 2ce5378 20354->20355 21163 2cf3751 20355->21163 20358 2ce53e2 20358->20192 20360 2ce53dc 21179 2cf3a64 20360->21179 20363 2cf225b _LocaleUpdate::_LocaleUpdate 59 API calls 20362->20363 20364 2cf2377 20363->20364 20365 2cf2385 20364->20365 20371 2cf239c 20364->20371 20366 2cf5e3b __commit 59 API calls 20365->20366 20367 2cf238a 20366->20367 20368 2cf4ed5 __commit 9 API calls 20367->20368 20369 2cf2395 ___ascii_stricmp 20368->20369 20369->20221 20370 2cf595a 66 API calls __tolower_l 20370->20371 20371->20369 20371->20370 20373 2cf286b 20372->20373 20374 2cf5e3b __commit 59 API calls 20373->20374 20377 2cf287b _strlen 20373->20377 20375 2cf2870 20374->20375 20376 2cf4ed5 __commit 9 API calls 20375->20376 20376->20377 20377->20227 20379 2cedfe0 __EH_prolog 20378->20379 20380 2cf3b2c _Allocate 60 API calls 20379->20380 20381 2cedff7 20380->20381 20381->20238 20383 2cf0b19 20382->20383 20385 2ce513d 20382->20385 20384 2cf3384 __cinit 68 API calls 20383->20384 20384->20385 20385->20243 20387 2cf0af0 Mailbox 68 API calls 20386->20387 20388 2cea715 20387->20388 20389 2ce519d 20388->20389 20396 2ce2db5 20388->20396 20389->20251 20389->20252 20389->20267 20392 2cf0af0 Mailbox 68 API calls 20391->20392 20394 2cecec9 20392->20394 20393 2cecfd8 20393->20267 20394->20393 20423 2ce2b95 20394->20423 20397 2ce2dca 20396->20397 20398 2ce2de4 20396->20398 20400 2cf0af0 Mailbox 68 API calls 20397->20400 20399 2ce2dfc 20398->20399 20401 2ce2def 20398->20401 20410 2ce2d39 WSASetLastError WSASend 20399->20410 20403 2ce2dcf 20400->20403 20404 2cf0af0 Mailbox 68 API calls 20401->20404 20403->20388 20404->20403 20405 2ce2e0c 20405->20403 20406 2ce2e54 WSASetLastError select 20405->20406 20408 2cf0af0 68 API calls Mailbox 20405->20408 20409 2ce2d39 71 API calls 20405->20409 20420 2cea4df 20406->20420 20408->20405 20409->20405 20411 2cea4df 69 API calls 20410->20411 20412 2ce2d6e 20411->20412 20413 2ce2d75 20412->20413 20415 2ce2d82 20412->20415 20414 2cf0af0 Mailbox 68 API calls 20413->20414 20416 2ce2d7a 20414->20416 20415->20416 20417 2cf0af0 Mailbox 68 API calls 20415->20417 20418 2ce2d9c 20416->20418 20419 2cf0af0 Mailbox 68 API calls 20416->20419 20417->20416 20418->20405 20419->20418 20421 2cf0af0 Mailbox 68 API calls 20420->20421 20422 2cea4eb WSAGetLastError 20421->20422 20422->20405 20424 2ce2bc7 20423->20424 20425 2ce2bb1 20423->20425 20427 2ce2bd2 20424->20427 20437 2ce2bdf 20424->20437 20426 2cf0af0 Mailbox 68 API calls 20425->20426 20431 2ce2bb6 20426->20431 20429 2cf0af0 Mailbox 68 API calls 20427->20429 20428 2ce2be2 WSASetLastError WSARecv 20430 2cea4df 69 API calls 20428->20430 20429->20431 20430->20437 20431->20394 20432 2ce2d22 20438 2ce1996 20432->20438 20434 2ce2cbc WSASetLastError select 20435 2cea4df 69 API calls 20434->20435 20435->20437 20436 2cf0af0 68 API calls Mailbox 20436->20437 20437->20428 20437->20431 20437->20432 20437->20434 20437->20436 20439 2ce199f 20438->20439 20441 2ce19bb 20438->20441 20440 2cf3384 __cinit 68 API calls 20439->20440 20440->20441 20441->20431 20464 2cee256 20442->20464 20444 2ced0d6 20444->20271 20546 2cf3399 20445->20546 20448 2cf20f4 20448->20273 20449 2cf211d ResumeThread 20449->20273 20450 2cf2116 CloseHandle 20450->20449 20452 2cf0af0 Mailbox 68 API calls 20451->20452 20453 2ce3fb8 20452->20453 20616 2ce1815 20453->20616 20456 2cea661 20457 2cea66b __EH_prolog 20456->20457 20622 2cecc19 20457->20622 20465 2cee260 __EH_prolog 20464->20465 20470 2ce4030 20465->20470 20469 2cee28e 20469->20444 20482 2d053d0 20470->20482 20472 2ce403a GetProcessHeap RtlAllocateHeap 20473 2ce407c 20472->20473 20474 2ce4053 std::exception::exception 20472->20474 20473->20469 20476 2ce408a 20473->20476 20483 2cea6a0 20474->20483 20477 2ce4094 __EH_prolog 20476->20477 20527 2cea2bf 20477->20527 20482->20472 20484 2cea6aa __EH_prolog 20483->20484 20491 2cecc4f 20484->20491 20489 2cf453a __CxxThrowException@8 RaiseException 20490 2cea6d8 20489->20490 20497 2ced7af 20491->20497 20494 2cecc69 20519 2ced7e7 20494->20519 20496 2cea6c7 20496->20489 20500 2cf24f3 20497->20500 20503 2cf2521 20500->20503 20504 2cf252f 20503->20504 20505 2cea6b9 20503->20505 20509 2cf25b7 20504->20509 20505->20494 20510 2cf2534 20509->20510 20511 2cf25c0 20509->20511 20510->20505 20513 2cf2579 20510->20513 20512 2cf2f54 _free 59 API calls 20511->20512 20512->20510 20514 2cf2585 _strlen 20513->20514 20515 2cf25aa 20513->20515 20516 2cf2f8c _malloc 59 API calls 20514->20516 20515->20505 20517 2cf2597 20516->20517 20517->20515 20518 2cf6c9c __cftoe2_l 59 API calls 20517->20518 20518->20515 20520 2ced7f1 __EH_prolog 20519->20520 20523 2ceb712 20520->20523 20522 2ced828 Mailbox 20522->20496 20524 2ceb71c __EH_prolog 20523->20524 20525 2cf24f3 std::exception::exception 59 API calls 20524->20525 20526 2ceb72d Mailbox 20525->20526 20526->20522 20538 2ceb0d6 20527->20538 20529 2ce40c1 20530 2ce3fdc 20529->20530 20545 2d053d0 20530->20545 20532 2ce3fe6 CreateEventA 20533 2ce400f 20532->20533 20534 2ce3ffd 20532->20534 20533->20469 20535 2ce3fb0 Mailbox 68 API calls 20534->20535 20536 2ce4005 20535->20536 20537 2cea661 Mailbox 60 API calls 20536->20537 20537->20533 20539 2ceb0fe 20538->20539 20540 2ceb0e2 20538->20540 20539->20529 20541 2cf3b2c _Allocate 60 API calls 20540->20541 20542 2ceb0f2 std::exception::exception 20540->20542 20541->20542 20542->20539 20543 2cf453a __CxxThrowException@8 RaiseException 20542->20543 20544 2cefb07 20543->20544 20545->20532 20547 2cf33bb 20546->20547 20548 2cf33a7 20546->20548 20550 2cf8a4c __calloc_crt 59 API calls 20547->20550 20549 2cf5e3b __commit 59 API calls 20548->20549 20551 2cf33ac 20549->20551 20552 2cf33c8 20550->20552 20553 2cf4ed5 __commit 9 API calls 20551->20553 20554 2cf3419 20552->20554 20557 2cf5c3a __CreateFrameInfo 59 API calls 20552->20557 20556 2cf20eb 20553->20556 20555 2cf2f54 _free 59 API calls 20554->20555 20558 2cf341f 20555->20558 20556->20448 20556->20449 20556->20450 20559 2cf33d5 20557->20559 20558->20556 20565 2cf5e1a 20558->20565 20560 2cf5cc1 __initptd 59 API calls 20559->20560 20561 2cf33de CreateThread 20560->20561 20561->20556 20564 2cf3411 GetLastError 20561->20564 20573 2cf34f9 20561->20573 20564->20554 20570 2cf5e07 20565->20570 20567 2cf5e23 _free 20568 2cf5e3b __commit 59 API calls 20567->20568 20569 2cf5e36 20568->20569 20569->20556 20571 2cf5c52 __getptd_noexit 59 API calls 20570->20571 20572 2cf5e0c 20571->20572 20572->20567 20574 2cf3502 __threadstartex@4 20573->20574 20575 2cf91ab __threadstartex@4 TlsGetValue 20574->20575 20576 2cf3508 20575->20576 20577 2cf353b 20576->20577 20579 2cf350f __threadstartex@4 20576->20579 20578 2cf5acf __freefls@4 59 API calls 20577->20578 20581 2cf3556 ___crtIsPackagedApp 20578->20581 20580 2cf91ca __threadstartex@4 TlsSetValue 20579->20580 20582 2cf351e 20580->20582 20585 2cf356a 20581->20585 20589 2cf34a1 20581->20589 20583 2cf3524 GetLastError RtlExitUserThread 20582->20583 20584 2cf3531 GetCurrentThreadId 20582->20584 20583->20584 20584->20581 20595 2cf3432 20585->20595 20590 2cf34aa LoadLibraryExW GetProcAddress 20589->20590 20591 2cf34e3 RtlDecodePointer 20589->20591 20592 2cf34cd RtlEncodePointer 20590->20592 20593 2cf34cc 20590->20593 20594 2cf34f3 20591->20594 20592->20591 20593->20585 20594->20585 20596 2cf343e __commit 20595->20596 20597 2cf5c3a __CreateFrameInfo 59 API calls 20596->20597 20598 2cf3443 20597->20598 20603 2cf3473 20598->20603 20604 2cf5c52 __getptd_noexit 59 API calls 20603->20604 20605 2cf347c 20604->20605 20606 2cf3497 RtlExitUserThread 20605->20606 20607 2cf3490 20605->20607 20611 2cf3576 20605->20611 20609 2cf5c04 __freeptd 59 API calls 20607->20609 20610 2cf3496 20609->20610 20610->20606 20612 2cf357f LoadLibraryExW GetProcAddress 20611->20612 20613 2cf35b7 RtlDecodePointer 20611->20613 20614 2cf35c5 20612->20614 20615 2cf35a1 RtlEncodePointer 20612->20615 20613->20614 20614->20607 20615->20613 20619 2cf24b3 20616->20619 20620 2cf2579 std::exception::_Copy_str 59 API calls 20619->20620 20621 2ce182a 20620->20621 20621->20456 20628 2ced6e0 20622->20628 20625 2cecc33 20690 2ced718 20625->20690 20627 2cea68e 20631 2ceb204 20628->20631 20632 2ceb20e __EH_prolog 20631->20632 20633 2cf24f3 std::exception::exception 59 API calls 20632->20633 20634 2ceb21f 20633->20634 20637 2ce7cd4 20634->20637 20640 2ce88ce 20637->20640 20639 2ce7cf3 20639->20625 20641 2ce8957 20640->20641 20642 2ce88e3 20640->20642 20669 2cefb36 20641->20669 20643 2ce8907 20642->20643 20644 2ce88f0 20642->20644 20662 2ce91f4 20643->20662 20652 2ce9101 20644->20652 20651 2ce8905 _memmove 20651->20639 20653 2ce88f8 20652->20653 20654 2ce9125 20652->20654 20657 2ce9130 20653->20657 20655 2cefb36 std::bad_exception::bad_exception 60 API calls 20654->20655 20656 2ce912f 20655->20656 20658 2ce91a7 20657->20658 20661 2ce9141 _memmove 20657->20661 20659 2cefb36 std::bad_exception::bad_exception 60 API calls 20658->20659 20660 2ce91b1 20659->20660 20661->20651 20663 2ce924c 20662->20663 20664 2ce9200 20662->20664 20678 2cefb08 20663->20678 20668 2ce920e std::bad_exception::bad_exception 20664->20668 20674 2ce9aaf 20664->20674 20668->20651 20670 2cf24b3 std::exception::exception 59 API calls 20669->20670 20671 2cefb4e 20670->20671 20672 2cf453a __CxxThrowException@8 RaiseException 20671->20672 20673 2cefb63 20672->20673 20675 2ce9ab9 __EH_prolog 20674->20675 20683 2ceac50 20675->20683 20677 2ce9b10 _memmove std::bad_exception::bad_exception 20677->20668 20679 2cf24b3 std::exception::exception 59 API calls 20678->20679 20680 2cefb20 20679->20680 20681 2cf453a __CxxThrowException@8 RaiseException 20680->20681 20682 2cefb35 20681->20682 20684 2ceac5c 20683->20684 20685 2ceac73 20683->20685 20686 2cf3b2c _Allocate 60 API calls 20684->20686 20687 2ceac67 std::exception::exception 20684->20687 20685->20677 20686->20687 20687->20685 20688 2cf453a __CxxThrowException@8 RaiseException 20687->20688 20689 2cefb07 20688->20689 20691 2ced722 __EH_prolog 20690->20691 20694 2ceb5fc 20691->20694 20693 2ced759 Mailbox 20693->20627 20695 2ceb606 __EH_prolog 20694->20695 20696 2ceb204 std::bad_exception::bad_exception 60 API calls 20695->20696 20697 2ceb617 Mailbox 20696->20697 20697->20693 20699 2cea6e8 GetProcessHeap HeapFree 20698->20699 20699->20285 20701 2cf225b _LocaleUpdate::_LocaleUpdate 59 API calls 20700->20701 20702 2cf60a5 20701->20702 20703 2cf5e3b __commit 59 API calls 20702->20703 20704 2cf60aa 20703->20704 20705 2cf6b7b 20704->20705 20719 2cf60ca __output_l __aulldvrm _strlen 20704->20719 20745 2cf9e11 20704->20745 20706 2cf5e3b __commit 59 API calls 20705->20706 20708 2cf6b80 20706->20708 20710 2cf4ed5 __commit 9 API calls 20708->20710 20709 2cf6b55 20711 2cf452b ___crt_atoflt_l 6 API calls 20709->20711 20710->20709 20712 2cf2456 20711->20712 20712->20295 20724 2cf5ee1 20712->20724 20714 2cf6bb0 79 API calls _write_multi_char 20714->20719 20715 2cf6733 RtlDecodePointer 20715->20719 20716 2cf2f54 _free 59 API calls 20716->20719 20717 2cf8a94 __malloc_crt 59 API calls 20717->20719 20718 2cf6796 RtlDecodePointer 20718->20719 20719->20705 20719->20709 20719->20714 20719->20715 20719->20716 20719->20717 20719->20718 20720 2cf67bb RtlDecodePointer 20719->20720 20721 2cf6bf8 79 API calls _write_multi_char 20719->20721 20722 2cffac4 61 API calls __cftof 20719->20722 20723 2cf6c24 79 API calls _write_string 20719->20723 20752 2cfdcee 20719->20752 20720->20719 20721->20719 20722->20719 20723->20719 20725 2cf9e11 __filbuf 59 API calls 20724->20725 20726 2cf5eef 20725->20726 20727 2cf5efa 20726->20727 20728 2cf5f11 20726->20728 20729 2cf5e3b __commit 59 API calls 20727->20729 20730 2cf5f16 20728->20730 20731 2cf5f23 __flsbuf 20728->20731 20738 2cf5eff 20729->20738 20732 2cf5e3b __commit 59 API calls 20730->20732 20731->20738 20741 2cf5f72 20731->20741 20744 2cf5f7d 20731->20744 20755 2cff782 20731->20755 20732->20738 20733 2cf5f87 20736 2cf5fa1 20733->20736 20740 2cf5fb8 20733->20740 20734 2cf6001 20735 2cf9e35 __write 79 API calls 20734->20735 20735->20738 20767 2cf9e35 20736->20767 20738->20295 20740->20738 20795 2cff7d6 20740->20795 20741->20744 20764 2cff945 20741->20764 20744->20733 20744->20734 20746 2cf9e1b 20745->20746 20747 2cf9e30 20745->20747 20748 2cf5e3b __commit 59 API calls 20746->20748 20747->20719 20749 2cf9e20 20748->20749 20750 2cf4ed5 __commit 9 API calls 20749->20750 20751 2cf9e2b 20750->20751 20751->20719 20753 2cf225b _LocaleUpdate::_LocaleUpdate 59 API calls 20752->20753 20754 2cfdcff 20753->20754 20754->20719 20756 2cff78d 20755->20756 20757 2cff79a 20755->20757 20758 2cf5e3b __commit 59 API calls 20756->20758 20760 2cff7a6 20757->20760 20761 2cf5e3b __commit 59 API calls 20757->20761 20759 2cff792 20758->20759 20759->20741 20760->20741 20762 2cff7c7 20761->20762 20763 2cf4ed5 __commit 9 API calls 20762->20763 20763->20759 20765 2cf8a94 __malloc_crt 59 API calls 20764->20765 20766 2cff95a 20765->20766 20766->20744 20768 2cf9e41 __commit 20767->20768 20769 2cf9e4e 20768->20769 20770 2cf9e65 20768->20770 20771 2cf5e07 __commit 59 API calls 20769->20771 20772 2cf9f04 20770->20772 20774 2cf9e79 20770->20774 20773 2cf9e53 20771->20773 20775 2cf5e07 __commit 59 API calls 20772->20775 20776 2cf5e3b __commit 59 API calls 20773->20776 20777 2cf9e97 20774->20777 20778 2cf9ea1 20774->20778 20781 2cf9e9c 20775->20781 20787 2cf9e5a __commit 20776->20787 20779 2cf5e07 __commit 59 API calls 20777->20779 20820 2d00c67 20778->20820 20779->20781 20783 2cf5e3b __commit 59 API calls 20781->20783 20782 2cf9ea7 20784 2cf9ecd 20782->20784 20785 2cf9eba 20782->20785 20786 2cf9f10 20783->20786 20790 2cf5e3b __commit 59 API calls 20784->20790 20829 2cf9f24 20785->20829 20789 2cf4ed5 __commit 9 API calls 20786->20789 20787->20738 20789->20787 20792 2cf9ed2 20790->20792 20791 2cf9ec6 20888 2cf9efc 20791->20888 20793 2cf5e07 __commit 59 API calls 20792->20793 20793->20791 20796 2cff7e2 __commit 20795->20796 20797 2cff80b 20796->20797 20798 2cff7f3 20796->20798 20799 2cff8b0 20797->20799 20803 2cff840 20797->20803 20800 2cf5e07 __commit 59 API calls 20798->20800 20801 2cf5e07 __commit 59 API calls 20799->20801 20802 2cff7f8 20800->20802 20804 2cff8b5 20801->20804 20805 2cf5e3b __commit 59 API calls 20802->20805 20807 2d00c67 ___lock_fhandle 60 API calls 20803->20807 20808 2cf5e3b __commit 59 API calls 20804->20808 20806 2cff800 __commit 20805->20806 20806->20738 20809 2cff846 20807->20809 20810 2cff8bd 20808->20810 20811 2cff85c 20809->20811 20812 2cff874 20809->20812 20813 2cf4ed5 __commit 9 API calls 20810->20813 20814 2cff8d2 __lseeki64_nolock 61 API calls 20811->20814 20815 2cf5e3b __commit 59 API calls 20812->20815 20813->20806 20816 2cff86b 20814->20816 20817 2cff879 20815->20817 20921 2cff8a8 20816->20921 20818 2cf5e07 __commit 59 API calls 20817->20818 20818->20816 20821 2d00c73 __commit 20820->20821 20822 2d00cc2 RtlEnterCriticalSection 20821->20822 20823 2cf88cd __lock 59 API calls 20821->20823 20824 2d00ce8 __commit 20822->20824 20825 2d00c98 20823->20825 20824->20782 20826 2cf91ec __mtinitlocks InitializeCriticalSectionAndSpinCount 20825->20826 20828 2d00cb0 20825->20828 20826->20828 20891 2d00cec 20828->20891 20830 2cf9f31 __write_nolock 20829->20830 20831 2cf9f8f 20830->20831 20832 2cf9f70 20830->20832 20861 2cf9f65 20830->20861 20835 2cf9fe7 20831->20835 20836 2cf9fcb 20831->20836 20834 2cf5e07 __commit 59 API calls 20832->20834 20833 2cf452b ___crt_atoflt_l 6 API calls 20837 2cfa785 20833->20837 20838 2cf9f75 20834->20838 20840 2cfa000 20835->20840 20895 2cff8d2 20835->20895 20839 2cf5e07 __commit 59 API calls 20836->20839 20837->20791 20841 2cf5e3b __commit 59 API calls 20838->20841 20842 2cf9fd0 20839->20842 20845 2cff782 __write_nolock 59 API calls 20840->20845 20844 2cf9f7c 20841->20844 20847 2cf5e3b __commit 59 API calls 20842->20847 20848 2cf4ed5 __commit 9 API calls 20844->20848 20846 2cfa00e 20845->20846 20849 2cfa367 20846->20849 20854 2cf5c3a __CreateFrameInfo 59 API calls 20846->20854 20850 2cf9fd7 20847->20850 20848->20861 20851 2cfa6fa WriteFile 20849->20851 20852 2cfa385 20849->20852 20853 2cf4ed5 __commit 9 API calls 20850->20853 20855 2cfa35a GetLastError 20851->20855 20860 2cfa327 20851->20860 20856 2cfa4a9 20852->20856 20864 2cfa39b 20852->20864 20853->20861 20857 2cfa03a GetConsoleMode 20854->20857 20855->20860 20867 2cfa4b4 20856->20867 20880 2cfa59e 20856->20880 20857->20849 20859 2cfa079 20857->20859 20858 2cfa733 20858->20861 20865 2cf5e3b __commit 59 API calls 20858->20865 20859->20849 20862 2cfa089 GetConsoleCP 20859->20862 20860->20858 20860->20861 20866 2cfa487 20860->20866 20861->20833 20862->20858 20886 2cfa0b8 20862->20886 20863 2cfa40a WriteFile 20863->20855 20863->20864 20864->20858 20864->20860 20864->20863 20868 2cfa761 20865->20868 20870 2cfa72a 20866->20870 20871 2cfa492 20866->20871 20867->20858 20867->20860 20873 2cfa519 WriteFile 20867->20873 20869 2cf5e07 __commit 59 API calls 20868->20869 20869->20861 20875 2cf5e1a __dosmaperr 59 API calls 20870->20875 20874 2cf5e3b __commit 59 API calls 20871->20874 20872 2cfa613 WideCharToMultiByte 20872->20855 20872->20880 20873->20855 20873->20867 20876 2cfa497 20874->20876 20875->20861 20878 2cf5e07 __commit 59 API calls 20876->20878 20877 2cfa662 WriteFile 20877->20880 20881 2cfa6b5 GetLastError 20877->20881 20878->20861 20880->20858 20880->20860 20880->20872 20880->20877 20881->20880 20882 2d01033 WriteConsoleW CreateFileW __putwch_nolock 20882->20886 20883 2cfffea 61 API calls __write_nolock 20883->20886 20884 2cfa1a1 WideCharToMultiByte 20884->20860 20885 2cfa1dc WriteFile 20884->20885 20885->20855 20885->20886 20886->20855 20886->20860 20886->20882 20886->20883 20886->20884 20887 2cfa236 WriteFile 20886->20887 20904 2cfdd28 20886->20904 20887->20855 20887->20886 20920 2d0100d RtlLeaveCriticalSection 20888->20920 20890 2cf9f02 20890->20787 20894 2cf8a37 RtlLeaveCriticalSection 20891->20894 20893 2d00cf3 20893->20822 20894->20893 20907 2d00f24 20895->20907 20897 2cff8e2 20898 2cff8fb SetFilePointerEx 20897->20898 20899 2cff8ea 20897->20899 20900 2cff913 GetLastError 20898->20900 20903 2cff8ef 20898->20903 20901 2cf5e3b __commit 59 API calls 20899->20901 20902 2cf5e1a __dosmaperr 59 API calls 20900->20902 20901->20903 20902->20903 20903->20840 20905 2cfdcee __isleadbyte_l 59 API calls 20904->20905 20906 2cfdd35 20905->20906 20906->20886 20908 2d00f44 20907->20908 20909 2d00f2f 20907->20909 20911 2cf5e07 __commit 59 API calls 20908->20911 20914 2d00f69 20908->20914 20910 2cf5e07 __commit 59 API calls 20909->20910 20912 2d00f34 20910->20912 20915 2d00f73 20911->20915 20913 2cf5e3b __commit 59 API calls 20912->20913 20917 2d00f3c 20913->20917 20914->20897 20916 2cf5e3b __commit 59 API calls 20915->20916 20918 2d00f7b 20916->20918 20917->20897 20919 2cf4ed5 __commit 9 API calls 20918->20919 20919->20917 20920->20890 20924 2d0100d RtlLeaveCriticalSection 20921->20924 20923 2cff8ae 20923->20806 20924->20923 20925->20299 20937 2ce30ae WSASetLastError 20926->20937 20929 2ce30ae 71 API calls 20930 2ce3c90 20929->20930 20931 2ce16ae 20930->20931 20932 2ce16b8 __EH_prolog 20931->20932 20933 2ce1701 20932->20933 20934 2cf24b3 std::exception::exception 59 API calls 20932->20934 20933->20192 20935 2ce16dc 20934->20935 20953 2cea478 20935->20953 20938 2ce30ce 20937->20938 20939 2ce30ec WSAStringToAddressA 20937->20939 20938->20939 20940 2ce30d3 20938->20940 20941 2cea4df 69 API calls 20939->20941 20942 2cf0af0 Mailbox 68 API calls 20940->20942 20943 2ce3114 20941->20943 20952 2ce30d8 20942->20952 20944 2ce3154 20943->20944 20947 2ce311e _memcmp 20943->20947 20945 2ce3135 20944->20945 20948 2cf0af0 Mailbox 68 API calls 20944->20948 20946 2ce3193 20945->20946 20949 2cf0af0 Mailbox 68 API calls 20945->20949 20951 2cf0af0 Mailbox 68 API calls 20946->20951 20946->20952 20947->20945 20950 2cf0af0 Mailbox 68 API calls 20947->20950 20948->20945 20949->20946 20950->20945 20951->20952 20952->20929 20952->20930 20954 2cea482 __EH_prolog 20953->20954 20961 2cec9dd 20954->20961 20958 2cea4a3 20959 2cf453a __CxxThrowException@8 RaiseException 20958->20959 20960 2cea4b1 20959->20960 20962 2ceb204 std::bad_exception::bad_exception 60 API calls 20961->20962 20963 2cea495 20962->20963 20964 2ceca19 20963->20964 20965 2ceca23 __EH_prolog 20964->20965 20968 2ceb1b3 20965->20968 20967 2ceca52 Mailbox 20967->20958 20969 2ceb1bd __EH_prolog 20968->20969 20970 2ceb204 std::bad_exception::bad_exception 60 API calls 20969->20970 20971 2ceb1ce Mailbox 20970->20971 20971->20967 20973 2ce3bdd __EH_prolog 20972->20973 20974 2ce3bfe htonl htonl 20973->20974 20984 2cf2497 20973->20984 20974->20318 20979 2ce3c20 __EH_prolog 20978->20979 20980 2ce3c41 20979->20980 20981 2cf2497 std::bad_exception::bad_exception 59 API calls 20979->20981 20980->20318 20982 2ce3c35 20981->20982 20983 2cea62d 60 API calls 20982->20983 20983->20980 20985 2cf24b3 std::exception::exception 59 API calls 20984->20985 20986 2ce3bf2 20985->20986 20987 2cea62d 20986->20987 20988 2cea637 __EH_prolog 20987->20988 20995 2cecb50 20988->20995 20992 2cea652 20993 2cf453a __CxxThrowException@8 RaiseException 20992->20993 20994 2cea660 20993->20994 21002 2cf247c 20995->21002 20998 2cecb8c 20999 2cecb96 __EH_prolog 20998->20999 21005 2ceb522 20999->21005 21001 2cecbc5 Mailbox 21001->20992 21003 2cf24f3 std::exception::exception 59 API calls 21002->21003 21004 2cea644 21003->21004 21004->20998 21006 2ceb52c __EH_prolog 21005->21006 21007 2cf247c std::bad_exception::bad_exception 59 API calls 21006->21007 21008 2ceb53d Mailbox 21007->21008 21008->21001 21030 2ce353e 21009->21030 21013 2ce2ae8 WSASetLastError connect 21012->21013 21014 2ce2ad8 21012->21014 21015 2cea4df 69 API calls 21013->21015 21016 2cf0af0 Mailbox 68 API calls 21014->21016 21018 2ce2b07 21015->21018 21017 2ce2add 21016->21017 21020 2cf0af0 Mailbox 68 API calls 21017->21020 21018->21017 21019 2cf0af0 Mailbox 68 API calls 21018->21019 21019->21017 21021 2ce2b1b 21020->21021 21023 2cf0af0 Mailbox 68 API calls 21021->21023 21025 2ce2b38 21021->21025 21023->21025 21026 2ce2b87 21025->21026 21090 2ce3027 21025->21090 21026->20323 21029 2cf0af0 Mailbox 68 API calls 21029->21026 21031 2ce3548 __EH_prolog 21030->21031 21032 2ce3576 21031->21032 21033 2ce3557 21031->21033 21052 2ce2edd WSASetLastError WSASocketA 21032->21052 21034 2ce1996 68 API calls 21033->21034 21049 2ce355f 21034->21049 21037 2ce35ad CreateIoCompletionPort 21038 2ce35db 21037->21038 21039 2ce35c5 GetLastError 21037->21039 21041 2cf0af0 Mailbox 68 API calls 21038->21041 21040 2cf0af0 Mailbox 68 API calls 21039->21040 21042 2ce35d2 21040->21042 21041->21042 21043 2ce35ef 21042->21043 21044 2ce3626 21042->21044 21045 2cf0af0 Mailbox 68 API calls 21043->21045 21078 2cedec9 21044->21078 21046 2ce3608 21045->21046 21060 2ce29ee 21046->21060 21049->20324 21050 2ce3659 21051 2cf0af0 Mailbox 68 API calls 21050->21051 21051->21049 21053 2cf0af0 Mailbox 68 API calls 21052->21053 21054 2ce2f0a WSAGetLastError 21053->21054 21055 2ce2f41 21054->21055 21056 2ce2f21 21054->21056 21055->21037 21055->21049 21057 2ce2f3c 21056->21057 21058 2ce2f27 setsockopt 21056->21058 21059 2cf0af0 Mailbox 68 API calls 21057->21059 21058->21057 21059->21055 21061 2ce2aad 21060->21061 21064 2ce2a0c 21060->21064 21062 2cf0af0 Mailbox 68 API calls 21061->21062 21065 2ce2ab8 21061->21065 21062->21065 21063 2ce2a39 WSASetLastError closesocket 21066 2cea4df 69 API calls 21063->21066 21064->21063 21068 2cf0af0 Mailbox 68 API calls 21064->21068 21065->21049 21067 2ce2a51 21066->21067 21067->21061 21071 2cf0af0 Mailbox 68 API calls 21067->21071 21069 2ce2a21 21068->21069 21082 2ce2f50 21069->21082 21073 2ce2a5c 21071->21073 21074 2ce2a7b ioctlsocket WSASetLastError closesocket 21073->21074 21075 2cf0af0 Mailbox 68 API calls 21073->21075 21077 2cea4df 69 API calls 21074->21077 21076 2ce2a6e 21075->21076 21076->21061 21076->21074 21077->21061 21079 2ceded3 __EH_prolog 21078->21079 21080 2cf3b2c _Allocate 60 API calls 21079->21080 21081 2cedee7 21080->21081 21081->21050 21083 2ce2f5b 21082->21083 21084 2ce2f70 WSASetLastError setsockopt 21082->21084 21085 2cf0af0 Mailbox 68 API calls 21083->21085 21086 2cea4df 69 API calls 21084->21086 21089 2ce2a36 21085->21089 21087 2ce2f9e 21086->21087 21088 2cf0af0 Mailbox 68 API calls 21087->21088 21087->21089 21088->21089 21089->21063 21091 2ce304d WSASetLastError select 21090->21091 21092 2ce303b 21090->21092 21094 2cea4df 69 API calls 21091->21094 21093 2cf0af0 Mailbox 68 API calls 21092->21093 21097 2ce2b59 21093->21097 21095 2ce3095 21094->21095 21096 2cf0af0 Mailbox 68 API calls 21095->21096 21095->21097 21096->21097 21097->21026 21098 2ce2fb4 21097->21098 21099 2ce2fd5 WSASetLastError getsockopt 21098->21099 21100 2ce2fc0 21098->21100 21102 2cea4df 69 API calls 21099->21102 21101 2cf0af0 Mailbox 68 API calls 21100->21101 21105 2ce2b7a 21101->21105 21103 2ce300f 21102->21103 21104 2cf0af0 Mailbox 68 API calls 21103->21104 21103->21105 21104->21105 21105->21026 21105->21029 21113 2d053d0 21106->21113 21108 2ce32b5 RtlEnterCriticalSection 21109 2cf0af0 Mailbox 68 API calls 21108->21109 21110 2ce32d6 21109->21110 21114 2ce3307 21110->21114 21113->21108 21116 2ce3311 __EH_prolog 21114->21116 21117 2ce3350 21116->21117 21126 2ce7e58 21116->21126 21130 2ce239d 21117->21130 21119 2ce3390 21136 2ce7e01 21119->21136 21122 2cf0af0 Mailbox 68 API calls 21124 2ce337c 21122->21124 21125 2ce2d39 71 API calls 21124->21125 21125->21119 21128 2ce7e66 21126->21128 21129 2ce7edc 21128->21129 21140 2ce89bd 21128->21140 21129->21116 21131 2ce23ab 21130->21131 21132 2ce2417 21131->21132 21133 2ce23c1 PostQueuedCompletionStatus 21131->21133 21135 2ce23f8 InterlockedExchange RtlLeaveCriticalSection 21131->21135 21132->21119 21132->21122 21133->21131 21134 2ce23da RtlEnterCriticalSection 21133->21134 21134->21131 21135->21131 21139 2ce7e06 21136->21139 21137 2ce32ee RtlLeaveCriticalSection 21137->20340 21139->21137 21151 2ce1e7f 21139->21151 21141 2ce89e7 21140->21141 21142 2ce7e01 68 API calls 21141->21142 21144 2ce8a2d 21142->21144 21143 2ce8a54 21143->21129 21144->21143 21146 2cea24a 21144->21146 21147 2cea264 21146->21147 21148 2cea254 21146->21148 21147->21143 21148->21147 21149 2cefb08 std::bad_exception::bad_exception 60 API calls 21148->21149 21150 2cea2be 21149->21150 21152 2cf0af0 Mailbox 68 API calls 21151->21152 21153 2ce1e90 21152->21153 21153->21139 21155 2ce3755 InterlockedCompareExchange 21154->21155 21156 2ce3770 21154->21156 21155->21156 21157 2ce3765 21155->21157 21158 2cf0af0 Mailbox 68 API calls 21156->21158 21159 2ce32ab 78 API calls 21157->21159 21160 2ce3779 21158->21160 21159->21156 21161 2ce29ee 76 API calls 21160->21161 21162 2ce378e 21161->21162 21162->20348 21192 2cf368d 21163->21192 21165 2ce53c8 21165->20358 21166 2cf38e6 21165->21166 21167 2cf38f2 __commit 21166->21167 21168 2cf3928 21167->21168 21169 2cf3910 21167->21169 21171 2cf3920 __commit 21167->21171 21334 2cf97d2 21168->21334 21170 2cf5e3b __commit 59 API calls 21169->21170 21173 2cf3915 21170->21173 21171->20360 21176 2cf4ed5 __commit 9 API calls 21173->21176 21176->21171 21180 2cf3a70 __commit 21179->21180 21181 2cf3a9c 21180->21181 21182 2cf3a84 21180->21182 21184 2cf97d2 __lock_file 60 API calls 21181->21184 21188 2cf3a94 __commit 21181->21188 21183 2cf5e3b __commit 59 API calls 21182->21183 21185 2cf3a89 21183->21185 21186 2cf3aae 21184->21186 21187 2cf4ed5 __commit 9 API calls 21185->21187 21361 2cf39f8 21186->21361 21187->21188 21188->20358 21195 2cf3699 __commit 21192->21195 21193 2cf36ab 21194 2cf5e3b __commit 59 API calls 21193->21194 21196 2cf36b0 21194->21196 21195->21193 21197 2cf36d8 21195->21197 21198 2cf4ed5 __commit 9 API calls 21196->21198 21211 2cf98a8 21197->21211 21208 2cf36bb __commit @_EH4_CallFilterFunc@8 21198->21208 21200 2cf36dd 21201 2cf36e6 21200->21201 21202 2cf36f3 21200->21202 21205 2cf5e3b __commit 59 API calls 21201->21205 21203 2cf371c 21202->21203 21204 2cf36fc 21202->21204 21226 2cf99c7 21203->21226 21206 2cf5e3b __commit 59 API calls 21204->21206 21205->21208 21206->21208 21208->21165 21212 2cf98b4 __commit 21211->21212 21213 2cf88cd __lock 59 API calls 21212->21213 21214 2cf98c2 21213->21214 21215 2cf993d 21214->21215 21221 2cf8955 __mtinitlocknum 59 API calls 21214->21221 21224 2cf9936 21214->21224 21246 2cf9811 21214->21246 21251 2cf987b 21214->21251 21216 2cf8a94 __malloc_crt 59 API calls 21215->21216 21218 2cf9944 21216->21218 21220 2cf91ec __mtinitlocks InitializeCriticalSectionAndSpinCount 21218->21220 21218->21224 21219 2cf99b3 __commit 21219->21200 21223 2cf996a RtlEnterCriticalSection 21220->21223 21221->21214 21223->21224 21256 2cf99be 21224->21256 21235 2cf99e4 21226->21235 21227 2cf99f8 21229 2cf5e3b __commit 59 API calls 21227->21229 21228 2cf9b9f 21228->21227 21231 2cf9bfb 21228->21231 21230 2cf99fd 21229->21230 21232 2cf4ed5 __commit 9 API calls 21230->21232 21267 2d00810 21231->21267 21234 2cf3727 21232->21234 21243 2cf3749 21234->21243 21235->21227 21235->21228 21261 2d0082e 21235->21261 21240 2d0095d __openfile 59 API calls 21241 2cf9bb7 21240->21241 21241->21228 21242 2d0095d __openfile 59 API calls 21241->21242 21242->21228 21327 2cf9841 21243->21327 21245 2cf374f 21245->21208 21247 2cf981c 21246->21247 21248 2cf9832 RtlEnterCriticalSection 21246->21248 21249 2cf88cd __lock 59 API calls 21247->21249 21248->21214 21250 2cf9825 21249->21250 21250->21214 21252 2cf989c RtlLeaveCriticalSection 21251->21252 21253 2cf9889 21251->21253 21252->21214 21259 2cf8a37 RtlLeaveCriticalSection 21253->21259 21255 2cf9899 21255->21214 21260 2cf8a37 RtlLeaveCriticalSection 21256->21260 21258 2cf99c5 21258->21219 21259->21255 21260->21258 21270 2d00846 21261->21270 21263 2cf9b65 21263->21227 21264 2d0095d 21263->21264 21278 2d00975 21264->21278 21266 2cf9b98 21266->21228 21266->21240 21285 2d006f9 21267->21285 21269 2d00829 21269->21234 21271 2d0085b 21270->21271 21277 2d00854 21270->21277 21272 2cf225b _LocaleUpdate::_LocaleUpdate 59 API calls 21271->21272 21273 2d00868 21272->21273 21274 2cf5e3b __commit 59 API calls 21273->21274 21273->21277 21275 2d0089b 21274->21275 21276 2cf4ed5 __commit 9 API calls 21275->21276 21276->21277 21277->21263 21279 2cf225b _LocaleUpdate::_LocaleUpdate 59 API calls 21278->21279 21281 2d00988 21279->21281 21280 2d0099d 21280->21266 21281->21280 21282 2cf5e3b __commit 59 API calls 21281->21282 21283 2d009c9 21282->21283 21284 2cf4ed5 __commit 9 API calls 21283->21284 21284->21280 21287 2d00705 __commit 21285->21287 21286 2d0071b 21288 2cf5e3b __commit 59 API calls 21286->21288 21287->21286 21289 2d00751 21287->21289 21290 2d00720 21288->21290 21296 2d007c2 21289->21296 21292 2cf4ed5 __commit 9 API calls 21290->21292 21295 2d0072a __commit 21292->21295 21295->21269 21305 2cf8216 21296->21305 21298 2d0076d 21301 2d00796 21298->21301 21299 2d007d6 21299->21298 21300 2cf2f54 _free 59 API calls 21299->21300 21300->21298 21302 2d0079c 21301->21302 21304 2d007c0 21301->21304 21326 2d0100d RtlLeaveCriticalSection 21302->21326 21304->21295 21306 2cf8239 21305->21306 21307 2cf8223 21305->21307 21306->21307 21308 2cf8240 ___crtIsPackagedApp 21306->21308 21309 2cf5e3b __commit 59 API calls 21307->21309 21312 2cf8249 AreFileApisANSI 21308->21312 21313 2cf8256 MultiByteToWideChar 21308->21313 21310 2cf8228 21309->21310 21311 2cf4ed5 __commit 9 API calls 21310->21311 21321 2cf8232 21311->21321 21312->21313 21314 2cf8253 21312->21314 21315 2cf8281 21313->21315 21316 2cf8270 GetLastError 21313->21316 21314->21313 21318 2cf8a94 __malloc_crt 59 API calls 21315->21318 21317 2cf5e1a __dosmaperr 59 API calls 21316->21317 21317->21321 21319 2cf8289 21318->21319 21320 2cf8290 MultiByteToWideChar 21319->21320 21319->21321 21320->21321 21322 2cf82a6 GetLastError 21320->21322 21321->21299 21323 2cf5e1a __dosmaperr 59 API calls 21322->21323 21324 2cf82b2 21323->21324 21325 2cf2f54 _free 59 API calls 21324->21325 21325->21321 21326->21304 21328 2cf986f RtlLeaveCriticalSection 21327->21328 21329 2cf9850 21327->21329 21328->21245 21329->21328 21330 2cf9857 21329->21330 21333 2cf8a37 RtlLeaveCriticalSection 21330->21333 21332 2cf986c 21332->21245 21333->21332 21335 2cf9804 RtlEnterCriticalSection 21334->21335 21336 2cf97e2 21334->21336 21338 2cf392e 21335->21338 21336->21335 21337 2cf97ea 21336->21337 21339 2cf88cd __lock 59 API calls 21337->21339 21340 2cf378d 21338->21340 21339->21338 21342 2cf379c 21340->21342 21347 2cf37ba 21340->21347 21341 2cf37aa 21343 2cf5e3b __commit 59 API calls 21341->21343 21342->21341 21342->21347 21350 2cf37d4 _memmove 21342->21350 21344 2cf37af 21343->21344 21345 2cf4ed5 __commit 9 API calls 21344->21345 21345->21347 21346 2cf5ee1 __flsbuf 79 API calls 21346->21350 21352 2cf3960 21347->21352 21349 2cf9e11 __filbuf 59 API calls 21349->21350 21350->21346 21350->21347 21350->21349 21351 2cf9e35 __write 79 API calls 21350->21351 21355 2cfa7cf 21350->21355 21351->21350 21353 2cf9841 __fsopen 2 API calls 21352->21353 21354 2cf3966 21353->21354 21354->21171 21356 2cfa7e2 21355->21356 21360 2cfa806 21355->21360 21357 2cf9e11 __filbuf 59 API calls 21356->21357 21356->21360 21358 2cfa7ff 21357->21358 21359 2cf9e35 __write 79 API calls 21358->21359 21359->21360 21360->21350 21362 2cf3a1b 21361->21362 21363 2cf3a07 21361->21363 21365 2cf3a17 21362->21365 21367 2cfa7cf __flush 79 API calls 21362->21367 21364 2cf5e3b __commit 59 API calls 21363->21364 21366 2cf3a0c 21364->21366 21377 2cf3ad3 21365->21377 21368 2cf4ed5 __commit 9 API calls 21366->21368 21369 2cf3a27 21367->21369 21368->21365 21380 2cfb27b 21369->21380 21372 2cf9e11 __filbuf 59 API calls 21373 2cf3a35 21372->21373 21384 2cfb106 21373->21384 21375 2cf3a3b 21375->21365 21376 2cf2f54 _free 59 API calls 21375->21376 21376->21365 21378 2cf9841 __fsopen 2 API calls 21377->21378 21379 2cf3ad9 21378->21379 21379->21188 21381 2cf3a2f 21380->21381 21382 2cfb288 21380->21382 21381->21372 21382->21381 21383 2cf2f54 _free 59 API calls 21382->21383 21383->21381 21385 2cfb112 __commit 21384->21385 21386 2cfb11f 21385->21386 21387 2cfb136 21385->21387 21388 2cf5e07 __commit 59 API calls 21386->21388 21389 2cfb1c1 21387->21389 21391 2cfb146 21387->21391 21390 2cfb124 21388->21390 21392 2cf5e07 __commit 59 API calls 21389->21392 21393 2cf5e3b __commit 59 API calls 21390->21393 21394 2cfb16e 21391->21394 21395 2cfb164 21391->21395 21397 2cfb169 21392->21397 21407 2cfb12b __commit 21393->21407 21398 2d00c67 ___lock_fhandle 60 API calls 21394->21398 21396 2cf5e07 __commit 59 API calls 21395->21396 21396->21397 21399 2cf5e3b __commit 59 API calls 21397->21399 21400 2cfb174 21398->21400 21401 2cfb1cd 21399->21401 21402 2cfb187 21400->21402 21403 2cfb192 21400->21403 21405 2cf4ed5 __commit 9 API calls 21401->21405 21410 2cfb1e1 21402->21410 21404 2cf5e3b __commit 59 API calls 21403->21404 21408 2cfb18d 21404->21408 21405->21407 21407->21375 21425 2cfb1b9 21408->21425 21411 2d00f24 __commit 59 API calls 21410->21411 21414 2cfb1ef 21411->21414 21412 2cfb245 21428 2d00e9e 21412->21428 21414->21412 21416 2d00f24 __commit 59 API calls 21414->21416 21424 2cfb223 21414->21424 21420 2cfb21a 21416->21420 21417 2d00f24 __commit 59 API calls 21418 2cfb22f CloseHandle 21417->21418 21418->21412 21421 2cfb23b GetLastError 21418->21421 21419 2cfb26f 21419->21408 21423 2d00f24 __commit 59 API calls 21420->21423 21421->21412 21422 2cf5e1a __dosmaperr 59 API calls 21422->21419 21423->21424 21424->21412 21424->21417 21437 2d0100d RtlLeaveCriticalSection 21425->21437 21427 2cfb1bf 21427->21407 21429 2d00f0a 21428->21429 21430 2d00eaa 21428->21430 21431 2cf5e3b __commit 59 API calls 21429->21431 21430->21429 21435 2d00ed3 21430->21435 21432 2d00f0f 21431->21432 21433 2cf5e07 __commit 59 API calls 21432->21433 21434 2cfb24d 21433->21434 21434->21419 21434->21422 21435->21434 21436 2d00ef5 SetStdHandle 21435->21436 21436->21434 21437->21427 19515 402848 19516 40d3fe 19515->19516 19519 401f64 FindResourceA 19516->19519 19518 40d403 19520 401f86 GetLastError SizeofResource 19519->19520 19525 401f9f 19519->19525 19521 401fa6 LoadResource LockResource GlobalAlloc 19520->19521 19520->19525 19522 401fd2 19521->19522 19523 401ffb GetTickCount 19522->19523 19526 402005 GlobalAlloc 19523->19526 19525->19518 19526->19525 19527 2d1e01e 19528 2d1e023 19527->19528 19532 2cef97d LoadLibraryA 19528->19532 19529 2d28c16 19531 2cef97d 64 API calls 19529->19531 19531->19529 19533 2cef9a6 GetProcAddress 19532->19533 19534 2cefa60 19532->19534 19535 2cefa59 FreeLibrary 19533->19535 19538 2cef9ba 19533->19538 19534->19529 19535->19534 19536 2cef9cc GetAdaptersInfo 19536->19538 19537 2cefa54 19537->19535 19538->19536 19538->19537 19538->19538 19540 2cf3b2c 19538->19540 19543 2cf3b34 19540->19543 19541 2cf2f8c _malloc 59 API calls 19541->19543 19542 2cf3b4e 19542->19538 19543->19541 19543->19542 19544 2cf81e3 __calloc_impl RtlDecodePointer 19543->19544 19545 2cf3b52 std::exception::exception 19543->19545 19544->19543 19548 2cf453a 19545->19548 19547 2cf3b7c 19550 2cf4559 RaiseException 19548->19550 19550->19547 19551 40d78f RegOpenKeyExA 19552 40d79a 19551->19552 21438 402eb0 GetVersion 21462 403ff4 HeapCreate 21438->21462 21440 402f0f 21441 402f14 21440->21441 21442 402f1c 21440->21442 21537 402fcb 21441->21537 21474 403cd4 21442->21474 21446 402f24 GetCommandLineA 21488 403ba2 21446->21488 21450 402f3e 21520 40389c 21450->21520 21452 402f43 21453 402f48 GetStartupInfoA 21452->21453 21533 403844 21453->21533 21455 402f5a GetModuleHandleA 21457 402f7e 21455->21457 21543 4035eb 21457->21543 21463 404014 21462->21463 21464 40404a 21462->21464 21550 403eac 21463->21550 21464->21440 21467 404030 21470 40404d 21467->21470 21472 404c1c 5 API calls 21467->21472 21468 404023 21562 4043cb HeapAlloc 21468->21562 21470->21440 21471 40402d 21471->21470 21473 40403e HeapDestroy 21471->21473 21472->21471 21473->21464 21618 402fef 21474->21618 21477 403cf3 GetStartupInfoA 21484 403e04 21477->21484 21487 403d3f 21477->21487 21480 403e2b GetStdHandle 21483 403e39 GetFileType 21480->21483 21480->21484 21481 403e6b SetHandleCount 21481->21446 21482 402fef 12 API calls 21482->21487 21483->21484 21484->21480 21484->21481 21485 403db0 21485->21484 21486 403dd2 GetFileType 21485->21486 21486->21485 21487->21482 21487->21484 21487->21485 21489 403bf0 21488->21489 21490 403bbd GetEnvironmentStringsW 21488->21490 21492 403bc5 21489->21492 21493 403be1 21489->21493 21491 403bd1 GetEnvironmentStrings 21490->21491 21490->21492 21491->21493 21494 402f34 21491->21494 21495 403c09 WideCharToMultiByte 21492->21495 21496 403bfd GetEnvironmentStringsW 21492->21496 21493->21494 21497 403c83 GetEnvironmentStrings 21493->21497 21498 403c8f 21493->21498 21511 403955 21494->21511 21500 403c3d 21495->21500 21501 403c6f FreeEnvironmentStringsW 21495->21501 21496->21494 21496->21495 21497->21494 21497->21498 21502 402fef 12 API calls 21498->21502 21503 402fef 12 API calls 21500->21503 21501->21494 21506 403caa 21502->21506 21504 403c43 21503->21504 21504->21501 21505 403c4c WideCharToMultiByte 21504->21505 21508 403c5d 21505->21508 21510 403c66 21505->21510 21507 403cc0 FreeEnvironmentStringsA 21506->21507 21507->21494 21509 4030a1 7 API calls 21508->21509 21509->21510 21510->21501 21512 403967 21511->21512 21513 40396c GetModuleFileNameA 21511->21513 21647 4061b4 21512->21647 21515 40398f 21513->21515 21516 402fef 12 API calls 21515->21516 21517 4039b0 21516->21517 21518 4039c0 21517->21518 21519 402fa6 7 API calls 21517->21519 21518->21450 21519->21518 21521 4038a9 21520->21521 21523 4038ae 21520->21523 21522 4061b4 19 API calls 21521->21522 21522->21523 21524 402fef 12 API calls 21523->21524 21525 4038db 21524->21525 21526 402fa6 7 API calls 21525->21526 21531 4038ef 21525->21531 21526->21531 21527 4030a1 7 API calls 21528 40393e 21527->21528 21528->21452 21529 402fef 12 API calls 21529->21531 21530 403932 21530->21527 21531->21529 21531->21530 21532 402fa6 7 API calls 21531->21532 21532->21531 21534 40384d 21533->21534 21536 403852 21533->21536 21535 4061b4 19 API calls 21534->21535 21535->21536 21536->21455 21538 402fd4 21537->21538 21539 402fd9 21537->21539 21540 404224 7 API calls 21538->21540 21541 40425d 7 API calls 21539->21541 21540->21539 21542 402fe2 ExitProcess 21541->21542 21671 40360d 21543->21671 21546 4036c0 21547 4036cc 21546->21547 21548 4037f5 UnhandledExceptionFilter 21547->21548 21549 402f98 21547->21549 21548->21549 21564 402d40 21550->21564 21553 403ed5 21554 403eef GetEnvironmentVariableA 21553->21554 21556 403ee7 21553->21556 21557 403f0e 21554->21557 21561 403fcc 21554->21561 21556->21467 21556->21468 21558 403f53 GetModuleFileNameA 21557->21558 21559 403f4b 21557->21559 21558->21559 21559->21561 21566 4061d0 21559->21566 21561->21556 21569 403e7f GetModuleHandleA 21561->21569 21563 4043e7 21562->21563 21563->21471 21565 402d4c GetVersionExA 21564->21565 21565->21553 21565->21554 21571 4061e7 21566->21571 21570 403e96 21569->21570 21570->21556 21573 4061ff 21571->21573 21575 40622f 21573->21575 21578 4053a6 21573->21578 21574 4053a6 6 API calls 21574->21575 21575->21574 21577 4061e3 21575->21577 21582 4073ab 21575->21582 21577->21561 21579 4053c4 21578->21579 21580 4053b8 21578->21580 21588 40670e 21579->21588 21580->21573 21583 4073d6 21582->21583 21586 4073b9 21582->21586 21584 4073f2 21583->21584 21585 4053a6 6 API calls 21583->21585 21584->21586 21600 406857 21584->21600 21585->21584 21586->21575 21589 40673f GetStringTypeW 21588->21589 21595 406757 21588->21595 21590 40675b GetStringTypeA 21589->21590 21589->21595 21593 406843 21590->21593 21590->21595 21591 406782 GetStringTypeA 21591->21593 21593->21580 21594 4067a6 21594->21593 21596 4067bc MultiByteToWideChar 21594->21596 21595->21591 21595->21594 21596->21593 21597 4067e0 21596->21597 21597->21593 21598 40681a MultiByteToWideChar 21597->21598 21598->21593 21599 406833 GetStringTypeW 21598->21599 21599->21593 21601 406887 LCMapStringW 21600->21601 21602 4068a3 21600->21602 21601->21602 21603 4068ab LCMapStringA 21601->21603 21604 4068ec LCMapStringA 21602->21604 21606 406909 21602->21606 21603->21602 21605 4069e5 21603->21605 21604->21605 21605->21586 21606->21605 21607 40691f MultiByteToWideChar 21606->21607 21607->21605 21608 406949 21607->21608 21608->21605 21609 40697f MultiByteToWideChar 21608->21609 21609->21605 21610 406998 LCMapStringW 21609->21610 21610->21605 21611 4069b3 21610->21611 21612 4069b9 21611->21612 21614 4069f9 21611->21614 21612->21605 21613 4069c7 LCMapStringW 21612->21613 21613->21605 21614->21605 21615 406a31 LCMapStringW 21614->21615 21615->21605 21616 406a49 WideCharToMultiByte 21615->21616 21616->21605 21619 403001 12 API calls 21618->21619 21620 402ffe 21619->21620 21620->21477 21621 402fa6 21620->21621 21622 402fb4 21621->21622 21623 402faf 21621->21623 21633 40425d 21622->21633 21627 404224 21623->21627 21628 40422e 21627->21628 21629 40425d 7 API calls 21628->21629 21632 40425b 21628->21632 21630 404245 21629->21630 21631 40425d 7 API calls 21630->21631 21631->21632 21632->21622 21636 404270 21633->21636 21634 402fbd 21634->21477 21635 404387 21639 40439a GetStdHandle WriteFile 21635->21639 21636->21634 21636->21635 21637 4042b0 21636->21637 21637->21634 21638 4042bc GetModuleFileNameA 21637->21638 21640 4042d4 21638->21640 21639->21634 21642 406578 21640->21642 21643 406585 LoadLibraryA 21642->21643 21645 4065c7 21642->21645 21644 406596 GetProcAddress 21643->21644 21643->21645 21644->21645 21646 4065ad GetProcAddress GetProcAddress 21644->21646 21645->21634 21646->21645 21648 4061bd 21647->21648 21649 4061c4 21647->21649 21651 405df0 21648->21651 21649->21513 21658 405f89 21651->21658 21655 405e33 GetCPInfo 21657 405e47 21655->21657 21656 405f7d 21656->21649 21657->21656 21663 40602f GetCPInfo 21657->21663 21659 405fa9 21658->21659 21660 405f99 GetOEMCP 21658->21660 21661 405e01 21659->21661 21662 405fae GetACP 21659->21662 21660->21659 21661->21655 21661->21656 21661->21657 21662->21661 21664 40611a 21663->21664 21667 406052 21663->21667 21664->21656 21665 40670e 6 API calls 21666 4060ce 21665->21666 21668 406857 9 API calls 21666->21668 21667->21665 21669 4060f2 21668->21669 21670 406857 9 API calls 21669->21670 21670->21664 21672 403619 GetCurrentProcess TerminateProcess 21671->21672 21673 40362a 21671->21673 21672->21673 21674 402f87 21673->21674 21675 403694 ExitProcess 21673->21675 21674->21546 19553 2d29483 19554 2d42bcc Sleep 19553->19554 19556 2d1e004 19559 2cef879 CreateFileA 19556->19559 19560 2cef975 19559->19560 19564 2cef8aa 19559->19564 19561 2cef8c2 DeviceIoControl 19561->19564 19562 2cef96b CloseHandle 19562->19560 19563 2cef937 GetLastError 19563->19562 19563->19564 19564->19561 19564->19562 19564->19563 19565 2cf3b2c _Allocate 60 API calls 19564->19565 19565->19564 19566 402895 CreateDirectoryA 19567 4028a6 19566->19567 19568 40d319 19569 40d2e5 19568->19569 19571 40d2f6 19568->19571 19572 401f27 19569->19572 19573 401f3c 19572->19573 19576 401a1d 19573->19576 19575 401f45 19575->19571 19577 401a2c 19576->19577 19582 401a4f CreateFileA 19577->19582 19581 401a3e 19581->19575 19583 401a35 19582->19583 19586 401a7d 19582->19586 19590 401b4b LoadLibraryA 19583->19590 19584 401a98 DeviceIoControl 19584->19586 19586->19584 19587 401b3a CloseHandle 19586->19587 19588 401b0e GetLastError 19586->19588 19599 402ca6 19586->19599 19602 402c98 19586->19602 19587->19583 19588->19586 19588->19587 19591 401c21 19590->19591 19592 401b6e GetProcAddress 19590->19592 19591->19581 19593 401c18 FreeLibrary 19592->19593 19595 401b85 19592->19595 19593->19591 19594 401b95 GetAdaptersInfo 19594->19595 19595->19594 19596 402ca6 7 API calls 19595->19596 19597 401c15 19595->19597 19598 402c98 12 API calls 19595->19598 19596->19595 19597->19593 19598->19595 19605 4030a1 19599->19605 19635 403001 19602->19635 19606 402caf 19605->19606 19607 4030ad 19605->19607 19606->19586 19608 4030b7 19607->19608 19609 4030cd 19607->19609 19611 4030f9 HeapFree 19608->19611 19612 4030c3 19608->19612 19610 4030f8 19609->19610 19613 4030e7 19609->19613 19610->19611 19611->19606 19616 40443e 19612->19616 19622 404ecf 19613->19622 19617 40447c 19616->19617 19621 404732 19616->19621 19618 404678 VirtualFree 19617->19618 19617->19621 19619 4046dc 19618->19619 19620 4046eb VirtualFree HeapFree 19619->19620 19619->19621 19620->19621 19621->19606 19623 404f12 19622->19623 19624 404efc 19622->19624 19623->19606 19624->19623 19626 404db6 19624->19626 19629 404dc3 19626->19629 19627 404e73 19627->19623 19628 404de4 VirtualFree 19628->19629 19629->19627 19629->19628 19631 404d60 VirtualFree 19629->19631 19632 404d7d 19631->19632 19633 404dad 19632->19633 19634 404d8d HeapFree 19632->19634 19633->19629 19634->19629 19636 402ca3 19635->19636 19638 403008 19635->19638 19636->19586 19638->19636 19639 40302d 19638->19639 19640 40303c 19639->19640 19646 403051 19639->19646 19642 40304a 19640->19642 19648 404767 19640->19648 19643 403090 HeapAlloc 19642->19643 19644 40309f 19642->19644 19645 40304f 19642->19645 19643->19644 19644->19638 19645->19638 19646->19642 19646->19643 19654 404f14 19646->19654 19649 404799 19648->19649 19650 404838 19649->19650 19652 404847 19649->19652 19661 404a70 19649->19661 19650->19652 19668 404b21 19650->19668 19652->19642 19659 404f22 19654->19659 19655 40500e VirtualAlloc 19660 404fdf 19655->19660 19656 4050e3 19672 404c1c 19656->19672 19659->19655 19659->19656 19659->19660 19660->19642 19662 404ab3 HeapAlloc 19661->19662 19663 404a83 HeapReAlloc 19661->19663 19665 404ad9 VirtualAlloc 19662->19665 19667 404b03 19662->19667 19664 404aa2 19663->19664 19663->19667 19664->19662 19666 404af3 HeapFree 19665->19666 19665->19667 19666->19667 19667->19650 19669 404b33 VirtualAlloc 19668->19669 19671 404b7c 19669->19671 19671->19652 19673 404c30 HeapAlloc 19672->19673 19674 404c29 19672->19674 19675 404c4d VirtualAlloc 19673->19675 19680 404c85 19673->19680 19674->19675 19676 404d42 19675->19676 19677 404c6d VirtualAlloc 19675->19677 19678 404d4a HeapFree 19676->19678 19676->19680 19679 404d34 VirtualFree 19677->19679 19677->19680 19678->19680 19679->19676 19680->19660 21676 40d3bd Sleep 21677 4022bd 21678 40d222 RegSetValueExA 21677->21678 21680 40d67f 21681 40d682 21680->21681 21682 40d9fc RegQueryValueExA 21681->21682 21683 40d1ad RegCloseKey 21682->21683 21684 40da0d 21682->21684 21683->21681 21685 40d2bf 21686 40d548 OpenSCManagerA 21685->21686

                                                                                                              Executed Functions

                                                                                                              Function 02CE72AB Relevance: 95.2, APIs: 41, Strings: 13, Instructions: 659networksleepfileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 2ce72ab-2ce72c3 InternetOpenA 1 2ce7389-2ce738f 0->1 2 2ce72c9-2ce731d InternetSetOptionA * 3 call 2cf4ad0 0->2 3 2ce73ab-2ce73b9 1->3 4 2ce7391-2ce7397 1->4 6 2ce7322-2ce7340 InternetOpenUrlA 2->6 9 2ce73bf-2ce73e3 call 2cf4ad0 call 2ce439c 3->9 10 2ce66f4-2ce66f6 3->10 7 2ce739d-2ce73aa call 2ce53ec 4->7 8 2ce7399-2ce739b 4->8 11 2ce7382-2ce7383 InternetCloseHandle 6->11 12 2ce7342 6->12 7->3 8->3 9->10 31 2ce73e9-2ce7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf231c 9->31 13 2ce66ff-2ce6701 10->13 14 2ce66f8-2ce66fd 10->14 11->1 17 2ce7346-2ce736c InternetReadFile 12->17 19 2ce670e-2ce6742 RtlEnterCriticalSection RtlLeaveCriticalSection 13->19 20 2ce6703 13->20 18 2ce6708 Sleep 14->18 24 2ce736e-2ce7375 17->24 25 2ce7377-2ce737e InternetCloseHandle 17->25 18->19 26 2ce6744-2ce6750 19->26 27 2ce6792 19->27 20->18 24->17 25->11 26->27 29 2ce6752-2ce675f 26->29 30 2ce6796 27->30 32 2ce6767-2ce6768 29->32 33 2ce6761-2ce6765 29->33 30->0 38 2ce746d-2ce7488 call 2cf231c 31->38 39 2ce7419-2ce742b call 2cf231c 31->39 35 2ce676c-2ce6790 call 2cf4ad0 * 2 32->35 33->35 35->30 47 2ce748e-2ce7490 38->47 48 2ce7742-2ce7754 call 2cf231c 38->48 39->38 49 2ce742d-2ce743f call 2cf231c 39->49 47->48 50 2ce7496-2ce7548 call 2cf2f8c RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf4ad0 * 5 call 2ce439c * 2 47->50 57 2ce779d-2ce77a6 call 2cf231c 48->57 58 2ce7756-2ce7758 48->58 49->38 59 2ce7441-2ce7453 call 2cf231c 49->59 114 2ce754a-2ce754c 50->114 115 2ce7585 50->115 66 2ce77ab-2ce77af 57->66 58->57 61 2ce775a-2ce7798 call 2cf4ad0 RtlEnterCriticalSection RtlLeaveCriticalSection 58->61 59->38 72 2ce7455-2ce7467 call 2cf231c 59->72 61->10 70 2ce77d0-2ce77e2 call 2cf231c 66->70 71 2ce77b1-2ce77bf call 2ce61f5 call 2ce6303 66->71 82 2ce77e8-2ce77ea 70->82 83 2ce7b00-2ce7b12 call 2cf231c 70->83 85 2ce77c4-2ce77cb call 2ce640e 71->85 72->10 72->38 82->83 87 2ce77f0-2ce7807 call 2ce439c 82->87 83->10 95 2ce7b18-2ce7b46 call 2cf2f8c call 2cf4ad0 call 2ce439c 83->95 85->10 87->10 99 2ce780d-2ce78db call 2cf23f8 call 2ce1ba7 87->99 121 2ce7b4f-2ce7b56 call 2cf2f54 95->121 122 2ce7b48-2ce7b4a call 2ce534d 95->122 112 2ce78dd call 2ce143f 99->112 113 2ce78e2-2ce7903 RtlEnterCriticalSection 99->113 112->113 118 2ce790f-2ce7973 RtlLeaveCriticalSection call 2ce3c67 call 2ce3d7e call 2ce8311 113->118 119 2ce7905-2ce790c 113->119 114->115 120 2ce754e-2ce7560 call 2cf231c 114->120 123 2ce7589-2ce75b7 call 2cf2f8c call 2cf4ad0 call 2ce439c 115->123 146 2ce7979-2ce79c1 call 2cea6fb 118->146 147 2ce7ae7-2ce7afb call 2ce8fd9 118->147 119->118 120->115 135 2ce7562-2ce7583 call 2ce439c 120->135 121->10 122->121 144 2ce75f8-2ce7601 call 2cf2f54 123->144 145 2ce75b9-2ce75c8 call 2cf35c6 123->145 135->123 156 2ce7738-2ce773b 144->156 157 2ce7607-2ce761f call 2cf3b2c 144->157 145->144 158 2ce75ca 145->158 159 2ce79c7-2ce79ce 146->159 160 2ce7ab1-2ce7ae2 call 2ce83c0 call 2ce33b2 146->160 147->10 156->48 170 2ce762b 157->170 171 2ce7621-2ce7629 call 2ce970d 157->171 163 2ce75cf-2ce75e1 call 2cf2830 158->163 161 2ce79d1-2ce79d6 159->161 160->147 161->161 165 2ce79d8-2ce7a23 call 2cea6fb 161->165 177 2ce75e6-2ce75f6 call 2cf35c6 163->177 178 2ce75e3 163->178 165->160 179 2ce7a29-2ce7a2f 165->179 176 2ce762d-2ce76e5 call 2cea825 call 2ce3863 call 2ce5119 call 2ce3863 call 2ceaacb call 2ceabe5 170->176 171->176 202 2ce76ec-2ce76fb Sleep 176->202 203 2ce76e7 call 2ce380b 176->203 177->144 177->163 178->177 183 2ce7a32-2ce7a37 179->183 183->183 186 2ce7a39-2ce7a74 call 2cea6fb 183->186 186->160 193 2ce7a76-2ce7ab0 call 2ced0ed 186->193 193->160 205 2ce7703-2ce7717 call 2cf18d0 202->205 203->202 207 2ce7719-2ce7722 call 2ce4100 205->207 208 2ce7723-2ce7731 205->208 207->208 208->156 209 2ce7733 call 2ce380b 208->209 209->156
                                                                                                              APIs
                                                                                                              • Sleep.KERNELBASE(0000EA60), ref: 02CE6708
                                                                                                              • RtlEnterCriticalSection.NTDLL(02D171E0), ref: 02CE6713
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02D171E0), ref: 02CE6724
                                                                                                              • _memset.LIBCMT ref: 02CE6779
                                                                                                              • _memset.LIBCMT ref: 02CE6788
                                                                                                              • InternetOpenA.WININET(?), ref: 02CE72B5
                                                                                                              • InternetSetOptionA.WININET(00000000,00000002,?), ref: 02CE72DD
                                                                                                              • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02CE72F5
                                                                                                              • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02CE730D
                                                                                                              • _memset.LIBCMT ref: 02CE731D
                                                                                                              • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 02CE7336
                                                                                                              • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02CE7358
                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 02CE7378
                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 02CE7383
                                                                                                              • _memset.LIBCMT ref: 02CE73CB
                                                                                                              • RtlEnterCriticalSection.NTDLL(02D171E0), ref: 02CE73EE
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02D171E0), ref: 02CE73FF
                                                                                                              • _malloc.LIBCMT ref: 02CE7498
                                                                                                              • RtlEnterCriticalSection.NTDLL(02D171E0), ref: 02CE74AA
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02D171E0), ref: 02CE74B6
                                                                                                              • _memset.LIBCMT ref: 02CE74D0
                                                                                                              • _memset.LIBCMT ref: 02CE74DF
                                                                                                              • _memset.LIBCMT ref: 02CE74EF
                                                                                                              • _memset.LIBCMT ref: 02CE7502
                                                                                                              • _memset.LIBCMT ref: 02CE7518
                                                                                                              • _malloc.LIBCMT ref: 02CE758E
                                                                                                              • _memset.LIBCMT ref: 02CE759F
                                                                                                              • _strtok.LIBCMT ref: 02CE75BF
                                                                                                              • _swscanf.LIBCMT ref: 02CE75D6
                                                                                                              • _strtok.LIBCMT ref: 02CE75ED
                                                                                                              • _free.LIBCMT ref: 02CE75F9
                                                                                                              • Sleep.KERNEL32(000007D0), ref: 02CE76F1
                                                                                                              • _memset.LIBCMT ref: 02CE7765
                                                                                                              • RtlEnterCriticalSection.NTDLL(02D171E0), ref: 02CE7772
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02D171E0), ref: 02CE7784
                                                                                                              • _sprintf.LIBCMT ref: 02CE7822
                                                                                                              • RtlEnterCriticalSection.NTDLL(00000020), ref: 02CE78E6
                                                                                                              • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02CE791A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _memset$CriticalSection$Internet$EnterLeave$Option$CloseHandleOpenSleep_malloc_strtok$FileRead_free_sprintf_swscanf
                                                                                                              • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
                                                                                                              • API String ID: 696907137-1839899575
                                                                                                              • Opcode ID: 0c1dc2159c0d1c1437e999320e735c29d2065604cfcc85dc8daf70417df16017
                                                                                                              • Instruction ID: 63ed4defcab87e0ae0ffaca14e3714b034b8372b6cb1a59b0b9f722b176579fe
                                                                                                              • Opcode Fuzzy Hash: 0c1dc2159c0d1c1437e999320e735c29d2065604cfcc85dc8daf70417df16017
                                                                                                              • Instruction Fuzzy Hash: 00321371548381AFEB75AB20D845BAFB7EAEFD5314F10081DF58A872A0DB709908CB53
                                                                                                              Function 02CE648B Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 228memorysleeplibraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 481 2ce648b-2ce64ec RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 482 2ce64f3-2ce66f1 GetTickCount call 2ce605a GetVersionExA call 2cf4ad0 call 2cf2f8c * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2cf4ad0 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf2f8c * 4 QueryPerformanceCounter Sleep call 2cf2f8c * 2 call 2cf4ad0 * 2 481->482 483 2ce64ee call 2ce42c7 481->483 526 2ce66f4-2ce66f6 482->526 483->482 527 2ce66ff-2ce6701 526->527 528 2ce66f8-2ce66fd 526->528 530 2ce670e-2ce6742 RtlEnterCriticalSection RtlLeaveCriticalSection 527->530 531 2ce6703 527->531 529 2ce6708 Sleep 528->529 529->530 532 2ce6744-2ce6750 530->532 533 2ce6792 530->533 531->529 532->533 534 2ce6752-2ce675f 532->534 535 2ce6796-2ce72c3 InternetOpenA 533->535 536 2ce6767-2ce6768 534->536 537 2ce6761-2ce6765 534->537 540 2ce7389-2ce738f 535->540 541 2ce72c9-2ce7340 InternetSetOptionA * 3 call 2cf4ad0 InternetOpenUrlA 535->541 539 2ce676c-2ce6790 call 2cf4ad0 * 2 536->539 537->539 539->535 542 2ce73ab-2ce73b9 540->542 543 2ce7391-2ce7397 540->543 551 2ce7382-2ce7383 InternetCloseHandle 541->551 552 2ce7342 541->552 542->526 550 2ce73bf-2ce73e3 call 2cf4ad0 call 2ce439c 542->550 547 2ce739d-2ce73aa call 2ce53ec 543->547 548 2ce7399-2ce739b 543->548 547->542 548->542 550->526 564 2ce73e9-2ce7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf231c 550->564 551->540 556 2ce7346-2ce736c InternetReadFile 552->556 561 2ce736e-2ce7375 556->561 562 2ce7377-2ce737e InternetCloseHandle 556->562 561->556 562->551 567 2ce746d-2ce7488 call 2cf231c 564->567 568 2ce7419-2ce742b call 2cf231c 564->568 573 2ce748e-2ce7490 567->573 574 2ce7742-2ce7754 call 2cf231c 567->574 568->567 575 2ce742d-2ce743f call 2cf231c 568->575 573->574 576 2ce7496-2ce7548 call 2cf2f8c RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf4ad0 * 5 call 2ce439c * 2 573->576 583 2ce779d-2ce77af call 2cf231c 574->583 584 2ce7756-2ce7758 574->584 575->567 585 2ce7441-2ce7453 call 2cf231c 575->585 640 2ce754a-2ce754c 576->640 641 2ce7585 576->641 596 2ce77d0-2ce77e2 call 2cf231c 583->596 597 2ce77b1-2ce77bf call 2ce61f5 call 2ce6303 583->597 584->583 587 2ce775a-2ce7798 call 2cf4ad0 RtlEnterCriticalSection RtlLeaveCriticalSection 584->587 585->567 598 2ce7455-2ce7467 call 2cf231c 585->598 587->526 608 2ce77e8-2ce77ea 596->608 609 2ce7b00-2ce7b12 call 2cf231c 596->609 611 2ce77c4-2ce77cb call 2ce640e 597->611 598->526 598->567 608->609 613 2ce77f0-2ce7807 call 2ce439c 608->613 609->526 621 2ce7b18-2ce7b46 call 2cf2f8c call 2cf4ad0 call 2ce439c 609->621 611->526 613->526 625 2ce780d-2ce78db call 2cf23f8 call 2ce1ba7 613->625 647 2ce7b4f-2ce7b56 call 2cf2f54 621->647 648 2ce7b48-2ce7b4a call 2ce534d 621->648 638 2ce78dd call 2ce143f 625->638 639 2ce78e2-2ce7903 RtlEnterCriticalSection 625->639 638->639 644 2ce790f-2ce7973 RtlLeaveCriticalSection call 2ce3c67 call 2ce3d7e call 2ce8311 639->644 645 2ce7905-2ce790c 639->645 640->641 646 2ce754e-2ce7560 call 2cf231c 640->646 649 2ce7589-2ce75b7 call 2cf2f8c call 2cf4ad0 call 2ce439c 641->649 672 2ce7979-2ce79c1 call 2cea6fb 644->672 673 2ce7ae7-2ce7afb call 2ce8fd9 644->673 645->644 646->641 661 2ce7562-2ce7583 call 2ce439c 646->661 647->526 648->647 670 2ce75f8-2ce7601 call 2cf2f54 649->670 671 2ce75b9-2ce75c8 call 2cf35c6 649->671 661->649 682 2ce7738-2ce773b 670->682 683 2ce7607-2ce761f call 2cf3b2c 670->683 671->670 684 2ce75ca 671->684 685 2ce79c7-2ce79ce 672->685 686 2ce7ab1-2ce7ae2 call 2ce83c0 call 2ce33b2 672->686 673->526 682->574 696 2ce762b 683->696 697 2ce7621-2ce7629 call 2ce970d 683->697 689 2ce75cf-2ce75e1 call 2cf2830 684->689 687 2ce79d1-2ce79d6 685->687 686->673 687->687 691 2ce79d8-2ce7a23 call 2cea6fb 687->691 703 2ce75e6-2ce75f6 call 2cf35c6 689->703 704 2ce75e3 689->704 691->686 705 2ce7a29-2ce7a2f 691->705 702 2ce762d-2ce76e5 call 2cea825 call 2ce3863 call 2ce5119 call 2ce3863 call 2ceaacb call 2ceabe5 696->702 697->702 728 2ce76ec-2ce7717 Sleep call 2cf18d0 702->728 729 2ce76e7 call 2ce380b 702->729 703->670 703->689 704->703 709 2ce7a32-2ce7a37 705->709 709->709 712 2ce7a39-2ce7a74 call 2cea6fb 709->712 712->686 719 2ce7a76-2ce7ab0 call 2ced0ed 712->719 719->686 733 2ce7719-2ce7722 call 2ce4100 728->733 734 2ce7723-2ce7731 728->734 729->728 733->734 734->682 735 2ce7733 call 2ce380b 734->735 735->682
                                                                                                              APIs
                                                                                                              • RtlInitializeCriticalSection.NTDLL(02D171E0), ref: 02CE64BA
                                                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02CE64D1
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02CE64DA
                                                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02CE64E9
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02CE64EC
                                                                                                              • GetTickCount.KERNEL32 ref: 02CE64F8
                                                                                                                • Part of subcall function 02CE605A: _malloc.LIBCMT ref: 02CE6068
                                                                                                              • GetVersionExA.KERNEL32(02D17038), ref: 02CE6525
                                                                                                              • _memset.LIBCMT ref: 02CE6544
                                                                                                              • _malloc.LIBCMT ref: 02CE6551
                                                                                                                • Part of subcall function 02CF2F8C: __FF_MSGBANNER.LIBCMT ref: 02CF2FA3
                                                                                                                • Part of subcall function 02CF2F8C: __NMSG_WRITE.LIBCMT ref: 02CF2FAA
                                                                                                                • Part of subcall function 02CF2F8C: RtlAllocateHeap.NTDLL(00850000,00000000,00000001), ref: 02CF2FCF
                                                                                                              • _malloc.LIBCMT ref: 02CE6561
                                                                                                              • _malloc.LIBCMT ref: 02CE656C
                                                                                                              • _malloc.LIBCMT ref: 02CE6577
                                                                                                              • _malloc.LIBCMT ref: 02CE6582
                                                                                                              • _malloc.LIBCMT ref: 02CE658D
                                                                                                              • _malloc.LIBCMT ref: 02CE6598
                                                                                                              • _malloc.LIBCMT ref: 02CE65A7
                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02CE65BE
                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02CE65C7
                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02CE65D6
                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02CE65D9
                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02CE65E4
                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02CE65E7
                                                                                                              • _memset.LIBCMT ref: 02CE65FA
                                                                                                              • _memset.LIBCMT ref: 02CE6606
                                                                                                              • _memset.LIBCMT ref: 02CE6613
                                                                                                              • RtlEnterCriticalSection.NTDLL(02D171E0), ref: 02CE6621
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02D171E0), ref: 02CE662E
                                                                                                              • _malloc.LIBCMT ref: 02CE6652
                                                                                                              • _malloc.LIBCMT ref: 02CE6660
                                                                                                              • _malloc.LIBCMT ref: 02CE6667
                                                                                                              • _malloc.LIBCMT ref: 02CE668D
                                                                                                              • QueryPerformanceCounter.KERNEL32(00000200), ref: 02CE66A0
                                                                                                              • Sleep.KERNELBASE ref: 02CE66AE
                                                                                                              • _malloc.LIBCMT ref: 02CE66BA
                                                                                                              • _malloc.LIBCMT ref: 02CE66C7
                                                                                                              • _memset.LIBCMT ref: 02CE66DC
                                                                                                              • _memset.LIBCMT ref: 02CE66EC
                                                                                                              • Sleep.KERNELBASE(0000EA60), ref: 02CE6708
                                                                                                              • RtlEnterCriticalSection.NTDLL(02D171E0), ref: 02CE6713
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02D171E0), ref: 02CE6724
                                                                                                              • _memset.LIBCMT ref: 02CE6779
                                                                                                              • _memset.LIBCMT ref: 02CE6788
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _malloc$_memset$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                                                              • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                                                              • API String ID: 2251652938-2678694477
                                                                                                              • Opcode ID: 2c125d4c57f8d5bc7ff8d1cdbb4caf5dbdf5d5a20a49b07240d90cd81258b7f4
                                                                                                              • Instruction ID: 302b4ce5fa42fbdd0ef98039eff14a8166e84029b57e881c834e61db4f8b0ae7
                                                                                                              • Opcode Fuzzy Hash: 2c125d4c57f8d5bc7ff8d1cdbb4caf5dbdf5d5a20a49b07240d90cd81258b7f4
                                                                                                              • Instruction Fuzzy Hash: 8471B171D58350ABF3606B70AC49B5BBBE9EF45310F210919FA859B390DBB49C10CB96
                                                                                                              Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1012 401b4b-401b68 LoadLibraryA 1013 401c21-401c25 1012->1013 1014 401b6e-401b7f GetProcAddress 1012->1014 1015 401b85-401b8e 1014->1015 1016 401c18-401c1b FreeLibrary 1014->1016 1017 401b95-401ba5 GetAdaptersInfo 1015->1017 1016->1013 1018 401ba7-401bb0 1017->1018 1019 401bdb-401be3 1017->1019 1020 401bc1-401bd7 call 402cc0 call 4018cc 1018->1020 1021 401bb2-401bb6 1018->1021 1022 401be5-401beb call 402ca6 1019->1022 1023 401bec-401bf0 1019->1023 1020->1019 1021->1019 1024 401bb8-401bbf 1021->1024 1022->1023 1027 401bf2-401bf6 1023->1027 1028 401c15-401c17 1023->1028 1024->1020 1024->1021 1027->1028 1031 401bf8-401bfb 1027->1031 1028->1016 1033 401c06-401c13 call 402c98 1031->1033 1034 401bfd-401c03 1031->1034 1033->1017 1033->1028 1034->1033
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                                                              • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                                                              • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                                              • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                                                              • API String ID: 514930453-3667123677
                                                                                                              • Opcode ID: b984b7dde6bf878e61bd9d6389ae28c16a21e2d2acce5cac07de2378b9438879
                                                                                                              • Instruction ID: 38440359ad4724572ca0372a4bc8090c683b298b5ffde01d95b1867a6a9b844d
                                                                                                              • Opcode Fuzzy Hash: b984b7dde6bf878e61bd9d6389ae28c16a21e2d2acce5cac07de2378b9438879
                                                                                                              • Instruction Fuzzy Hash: F921B870904109AFEF119F65C9447EF7BB8EF41344F1440BAD504B22E1E7789985CB69
                                                                                                              Function 02CEF97D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1063 2cef97d-2cef9a0 LoadLibraryA 1064 2cef9a6-2cef9b4 GetProcAddress 1063->1064 1065 2cefa60-2cefa67 1063->1065 1066 2cef9ba-2cef9ca 1064->1066 1067 2cefa59-2cefa5a FreeLibrary 1064->1067 1068 2cef9cc-2cef9d8 GetAdaptersInfo 1066->1068 1067->1065 1069 2cef9da 1068->1069 1070 2cefa10-2cefa18 1068->1070 1073 2cef9dc-2cef9e3 1069->1073 1071 2cefa1a-2cefa20 call 2cf3788 1070->1071 1072 2cefa21-2cefa26 1070->1072 1071->1072 1075 2cefa28-2cefa2b 1072->1075 1076 2cefa54-2cefa58 1072->1076 1077 2cef9ed-2cef9f5 1073->1077 1078 2cef9e5-2cef9e9 1073->1078 1075->1076 1080 2cefa2d-2cefa32 1075->1080 1076->1067 1082 2cef9f8-2cef9fd 1077->1082 1078->1073 1081 2cef9eb 1078->1081 1084 2cefa3f-2cefa4a call 2cf3b2c 1080->1084 1085 2cefa34-2cefa3c 1080->1085 1081->1070 1082->1082 1083 2cef9ff-2cefa0c call 2cef6cc 1082->1083 1083->1070 1084->1076 1090 2cefa4c-2cefa4f 1084->1090 1085->1084 1090->1068
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02CEF993
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02CEF9AC
                                                                                                              • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02CEF9D1
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 02CEFA5A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                                              • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                                              • API String ID: 514930453-3114217049
                                                                                                              • Opcode ID: 4c7f40f26615e7442b82f25a74b09470e67234e7c2238d5789455261f93c0e17
                                                                                                              • Instruction ID: ca8d28f59195dfad31bd442f39d40e3cbd61211202082541e17f1db1e7038e9d
                                                                                                              • Opcode Fuzzy Hash: 4c7f40f26615e7442b82f25a74b09470e67234e7c2238d5789455261f93c0e17
                                                                                                              • Instruction Fuzzy Hash: 1521F875E40209ABDF11DBA8D8807EEBBF8DF44300F1441AED546EB610D7309A45CBA0
                                                                                                              Function 02CEF879 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1091 2cef879-2cef8a4 CreateFileA 1092 2cef8aa-2cef8bf 1091->1092 1093 2cef975-2cef97c 1091->1093 1094 2cef8c2-2cef8e4 DeviceIoControl 1092->1094 1095 2cef91d-2cef925 1094->1095 1096 2cef8e6-2cef8ee 1094->1096 1099 2cef92e-2cef930 1095->1099 1100 2cef927-2cef92d call 2cf3788 1095->1100 1097 2cef8f7-2cef8fc 1096->1097 1098 2cef8f0-2cef8f5 1096->1098 1097->1095 1101 2cef8fe-2cef906 1097->1101 1098->1095 1103 2cef96b-2cef974 CloseHandle 1099->1103 1104 2cef932-2cef935 1099->1104 1100->1099 1105 2cef909-2cef90e 1101->1105 1103->1093 1107 2cef937-2cef940 GetLastError 1104->1107 1108 2cef951-2cef95e call 2cf3b2c 1104->1108 1105->1105 1111 2cef910-2cef91c call 2cef6cc 1105->1111 1107->1103 1109 2cef942-2cef945 1107->1109 1108->1103 1115 2cef960-2cef966 1108->1115 1109->1108 1112 2cef947-2cef94e 1109->1112 1111->1095 1112->1108 1115->1094
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02CEF898
                                                                                                              • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02CEF8D6
                                                                                                              • GetLastError.KERNEL32 ref: 02CEF937
                                                                                                              • CloseHandle.KERNELBASE(?), ref: 02CEF96E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                                              • String ID: \\.\PhysicalDrive0
                                                                                                              • API String ID: 4026078076-1180397377
                                                                                                              • Opcode ID: 8cbc1dcba0979079e6ffa02fdd4630ab552e1b1d1de88ee92d0b6a74bff81781
                                                                                                              • Instruction ID: 2f9bdefbd826e67fb28421271b772f122425a55e15393912015dceb62293e132
                                                                                                              • Opcode Fuzzy Hash: 8cbc1dcba0979079e6ffa02fdd4630ab552e1b1d1de88ee92d0b6a74bff81781
                                                                                                              • Instruction Fuzzy Hash: B931CF71E00219BBDF24DF95D884BAEBBB9EF45714F2041AEE546A7680D770AF00CB90
                                                                                                              Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1117 401a4f-401a77 CreateFileA 1118 401b45-401b4a 1117->1118 1119 401a7d-401a91 1117->1119 1120 401a98-401ac0 DeviceIoControl 1119->1120 1121 401ac2-401aca 1120->1121 1122 401af3-401afb 1120->1122 1123 401ad4-401ad9 1121->1123 1124 401acc-401ad2 1121->1124 1125 401b04-401b07 1122->1125 1126 401afd-401b03 call 402ca6 1122->1126 1123->1122 1127 401adb-401af1 call 402cc0 call 4018cc 1123->1127 1124->1122 1129 401b09-401b0c 1125->1129 1130 401b3a-401b44 CloseHandle 1125->1130 1126->1125 1127->1122 1133 401b27-401b34 call 402c98 1129->1133 1134 401b0e-401b17 GetLastError 1129->1134 1130->1118 1133->1120 1133->1130 1134->1130 1137 401b19-401b1c 1134->1137 1137->1133 1140 401b1e-401b24 1137->1140 1140->1133
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                                                              • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                                                              • GetLastError.KERNEL32 ref: 00401B0E
                                                                                                              • CloseHandle.KERNELBASE(?), ref: 00401B3D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                                              • String ID: \\.\PhysicalDrive0
                                                                                                              • API String ID: 4026078076-1180397377
                                                                                                              • Opcode ID: 3afb43cc3dedd2849d90584800b0b4b1cc754ecdd9339dbac4238ad8ee4012bf
                                                                                                              • Instruction ID: fc4aaa1cf60edb7db06fdbd05dea25136cd7d186831ecbc7bbbcf924abbffa34
                                                                                                              • Opcode Fuzzy Hash: 3afb43cc3dedd2849d90584800b0b4b1cc754ecdd9339dbac4238ad8ee4012bf
                                                                                                              • Instruction Fuzzy Hash: 74318B71D00218EADB21AFA5CD849EFBBB9FF41750F20407AE554B32A0E7785E45CB98
                                                                                                              Function 02CE63E2 Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 254COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 213 2ce63e2-2ce63e4 214 2ce643e-2ce6449 213->214 215 2ce63e6-2ce63e7 213->215 216 2ce644b-2ce646d 214->216 217 2ce6497-2ce64ee RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 2ce42c7 214->217 215->214 218 2ce646f 216->218 219 2ce64d7-2ce64ec GetProcAddress GetModuleHandleA GetProcAddress 216->219 221 2ce64f3-2ce66f1 GetTickCount call 2ce605a GetVersionExA call 2cf4ad0 call 2cf2f8c * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2cf4ad0 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf2f8c * 4 QueryPerformanceCounter Sleep call 2cf2f8c * 2 call 2cf4ad0 * 2 217->221 223 2ce6443-2ce646d 218->223 224 2ce6471-2ce648a 218->224 219->221 222 2ce64ee call 2ce42c7 219->222 268 2ce66f4-2ce66f6 221->268 222->221 223->218 223->219 269 2ce66ff-2ce6701 268->269 270 2ce66f8-2ce66fd 268->270 272 2ce670e-2ce6742 RtlEnterCriticalSection RtlLeaveCriticalSection 269->272 273 2ce6703 269->273 271 2ce6708 Sleep 270->271 271->272 274 2ce6744-2ce6750 272->274 275 2ce6792 272->275 273->271 274->275 276 2ce6752-2ce675f 274->276 277 2ce6796-2ce72c3 InternetOpenA 275->277 278 2ce6767-2ce6768 276->278 279 2ce6761-2ce6765 276->279 282 2ce7389-2ce738f 277->282 283 2ce72c9-2ce7340 InternetSetOptionA * 3 call 2cf4ad0 InternetOpenUrlA 277->283 281 2ce676c-2ce6790 call 2cf4ad0 * 2 278->281 279->281 281->277 284 2ce73ab-2ce73b9 282->284 285 2ce7391-2ce7397 282->285 293 2ce7382-2ce7383 InternetCloseHandle 283->293 294 2ce7342 283->294 284->268 292 2ce73bf-2ce73e3 call 2cf4ad0 call 2ce439c 284->292 289 2ce739d-2ce73aa call 2ce53ec 285->289 290 2ce7399-2ce739b 285->290 289->284 290->284 292->268 306 2ce73e9-2ce7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf231c 292->306 293->282 298 2ce7346-2ce736c InternetReadFile 294->298 303 2ce736e-2ce7375 298->303 304 2ce7377-2ce737e InternetCloseHandle 298->304 303->298 304->293 309 2ce746d-2ce7488 call 2cf231c 306->309 310 2ce7419-2ce742b call 2cf231c 306->310 315 2ce748e-2ce7490 309->315 316 2ce7742-2ce7754 call 2cf231c 309->316 310->309 317 2ce742d-2ce743f call 2cf231c 310->317 315->316 318 2ce7496-2ce7548 call 2cf2f8c RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf4ad0 * 5 call 2ce439c * 2 315->318 325 2ce779d-2ce77af call 2cf231c 316->325 326 2ce7756-2ce7758 316->326 317->309 327 2ce7441-2ce7453 call 2cf231c 317->327 382 2ce754a-2ce754c 318->382 383 2ce7585 318->383 338 2ce77d0-2ce77e2 call 2cf231c 325->338 339 2ce77b1-2ce77cb call 2ce61f5 call 2ce6303 call 2ce640e 325->339 326->325 329 2ce775a-2ce7798 call 2cf4ad0 RtlEnterCriticalSection RtlLeaveCriticalSection 326->329 327->309 340 2ce7455-2ce7467 call 2cf231c 327->340 329->268 350 2ce77e8-2ce77ea 338->350 351 2ce7b00-2ce7b12 call 2cf231c 338->351 339->268 340->268 340->309 350->351 355 2ce77f0-2ce7807 call 2ce439c 350->355 351->268 363 2ce7b18-2ce7b46 call 2cf2f8c call 2cf4ad0 call 2ce439c 351->363 355->268 367 2ce780d-2ce78db call 2cf23f8 call 2ce1ba7 355->367 389 2ce7b4f-2ce7b56 call 2cf2f54 363->389 390 2ce7b48-2ce7b4a call 2ce534d 363->390 380 2ce78dd call 2ce143f 367->380 381 2ce78e2-2ce7903 RtlEnterCriticalSection 367->381 380->381 386 2ce790f-2ce7973 RtlLeaveCriticalSection call 2ce3c67 call 2ce3d7e call 2ce8311 381->386 387 2ce7905-2ce790c 381->387 382->383 388 2ce754e-2ce7560 call 2cf231c 382->388 391 2ce7589-2ce75b7 call 2cf2f8c call 2cf4ad0 call 2ce439c 383->391 414 2ce7979-2ce79c1 call 2cea6fb 386->414 415 2ce7ae7-2ce7afb call 2ce8fd9 386->415 387->386 388->383 403 2ce7562-2ce7583 call 2ce439c 388->403 389->268 390->389 412 2ce75f8-2ce7601 call 2cf2f54 391->412 413 2ce75b9-2ce75c8 call 2cf35c6 391->413 403->391 424 2ce7738-2ce773b 412->424 425 2ce7607-2ce761f call 2cf3b2c 412->425 413->412 426 2ce75ca 413->426 427 2ce79c7-2ce79ce 414->427 428 2ce7ab1-2ce7ae2 call 2ce83c0 call 2ce33b2 414->428 415->268 424->316 438 2ce762b 425->438 439 2ce7621-2ce7629 call 2ce970d 425->439 431 2ce75cf-2ce75e1 call 2cf2830 426->431 429 2ce79d1-2ce79d6 427->429 428->415 429->429 433 2ce79d8-2ce7a23 call 2cea6fb 429->433 445 2ce75e6-2ce75f6 call 2cf35c6 431->445 446 2ce75e3 431->446 433->428 447 2ce7a29-2ce7a2f 433->447 444 2ce762d-2ce76e5 call 2cea825 call 2ce3863 call 2ce5119 call 2ce3863 call 2ceaacb call 2ceabe5 438->444 439->444 470 2ce76ec-2ce7717 Sleep call 2cf18d0 444->470 471 2ce76e7 call 2ce380b 444->471 445->412 445->431 446->445 451 2ce7a32-2ce7a37 447->451 451->451 454 2ce7a39-2ce7a74 call 2cea6fb 451->454 454->428 461 2ce7a76-2ce7ab0 call 2ced0ed 454->461 461->428 475 2ce7719-2ce7722 call 2ce4100 470->475 476 2ce7723-2ce7731 470->476 471->470 475->476 476->424 477 2ce7733 call 2ce380b 476->477 477->424
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                                                              • API String ID: 0-2678694477
                                                                                                              • Opcode ID: 7275043a6724e093b3d56d080058ed5157c1dcb89f48d0b6761ca57fec1f5bd3
                                                                                                              • Instruction ID: 37419fb64c6f0b80bedc76f4a5ac39517d918b27415294f38d182ca62bde6428
                                                                                                              • Opcode Fuzzy Hash: 7275043a6724e093b3d56d080058ed5157c1dcb89f48d0b6761ca57fec1f5bd3
                                                                                                              • Instruction Fuzzy Hash: 5081F371D58350ABF364AB74AC45B5BFBE9EF85310F20081EFA859B391DB749800CB96
                                                                                                              Function 02CE6392 Relevance: 77.3, APIs: 40, Strings: 4, Instructions: 300COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 739 2ce6392-2ce63a1 740 2ce6418-2ce6425 739->740 741 2ce63a3-2ce63a8 739->741 743 2ce645e-2ce646d 740->743 744 2ce6427-2ce643f 740->744 741->740 742 2ce637b-2ce6383 741->742 745 2ce6347-2ce6351 742->745 746 2ce6385 742->746 747 2ce646f 743->747 748 2ce64d7-2ce64ec GetProcAddress GetModuleHandleA GetProcAddress 743->748 753 2ce6443-2ce645c 744->753 751 2ce62fb-2ce6302 745->751 752 2ce6353-2ce637a 745->752 755 2ce6387-2ce6390 746->755 747->753 754 2ce6471-2ce648a 747->754 749 2ce64f3-2ce66f1 GetTickCount call 2ce605a GetVersionExA call 2cf4ad0 call 2cf2f8c * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2cf4ad0 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf2f8c * 4 QueryPerformanceCounter Sleep call 2cf2f8c * 2 call 2cf4ad0 * 2 748->749 750 2ce64ee call 2ce42c7 748->750 799 2ce66f4-2ce66f6 749->799 750->749 752->742 753->743 755->755 800 2ce66ff-2ce6701 799->800 801 2ce66f8-2ce66fd 799->801 803 2ce670e-2ce6742 RtlEnterCriticalSection RtlLeaveCriticalSection 800->803 804 2ce6703 800->804 802 2ce6708 Sleep 801->802 802->803 805 2ce6744-2ce6750 803->805 806 2ce6792 803->806 804->802 805->806 807 2ce6752-2ce675f 805->807 808 2ce6796-2ce72c3 InternetOpenA 806->808 809 2ce6767-2ce6768 807->809 810 2ce6761-2ce6765 807->810 813 2ce7389-2ce738f 808->813 814 2ce72c9-2ce7340 InternetSetOptionA * 3 call 2cf4ad0 InternetOpenUrlA 808->814 812 2ce676c-2ce6790 call 2cf4ad0 * 2 809->812 810->812 812->808 815 2ce73ab-2ce73b9 813->815 816 2ce7391-2ce7397 813->816 824 2ce7382-2ce7383 InternetCloseHandle 814->824 825 2ce7342 814->825 815->799 823 2ce73bf-2ce73e3 call 2cf4ad0 call 2ce439c 815->823 820 2ce739d-2ce73aa call 2ce53ec 816->820 821 2ce7399-2ce739b 816->821 820->815 821->815 823->799 837 2ce73e9-2ce7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf231c 823->837 824->813 829 2ce7346-2ce736c InternetReadFile 825->829 834 2ce736e-2ce7375 829->834 835 2ce7377-2ce737e InternetCloseHandle 829->835 834->829 835->824 840 2ce746d-2ce7488 call 2cf231c 837->840 841 2ce7419-2ce742b call 2cf231c 837->841 846 2ce748e-2ce7490 840->846 847 2ce7742-2ce7754 call 2cf231c 840->847 841->840 848 2ce742d-2ce743f call 2cf231c 841->848 846->847 849 2ce7496-2ce7548 call 2cf2f8c RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf4ad0 * 5 call 2ce439c * 2 846->849 856 2ce779d-2ce77af call 2cf231c 847->856 857 2ce7756-2ce7758 847->857 848->840 858 2ce7441-2ce7453 call 2cf231c 848->858 913 2ce754a-2ce754c 849->913 914 2ce7585 849->914 869 2ce77d0-2ce77e2 call 2cf231c 856->869 870 2ce77b1-2ce77cb call 2ce61f5 call 2ce6303 call 2ce640e 856->870 857->856 860 2ce775a-2ce7798 call 2cf4ad0 RtlEnterCriticalSection RtlLeaveCriticalSection 857->860 858->840 871 2ce7455-2ce7467 call 2cf231c 858->871 860->799 881 2ce77e8-2ce77ea 869->881 882 2ce7b00-2ce7b12 call 2cf231c 869->882 870->799 871->799 871->840 881->882 886 2ce77f0-2ce7807 call 2ce439c 881->886 882->799 894 2ce7b18-2ce7b46 call 2cf2f8c call 2cf4ad0 call 2ce439c 882->894 886->799 898 2ce780d-2ce78db call 2cf23f8 call 2ce1ba7 886->898 920 2ce7b4f-2ce7b56 call 2cf2f54 894->920 921 2ce7b48-2ce7b4a call 2ce534d 894->921 911 2ce78dd call 2ce143f 898->911 912 2ce78e2-2ce7903 RtlEnterCriticalSection 898->912 911->912 917 2ce790f-2ce7973 RtlLeaveCriticalSection call 2ce3c67 call 2ce3d7e call 2ce8311 912->917 918 2ce7905-2ce790c 912->918 913->914 919 2ce754e-2ce7560 call 2cf231c 913->919 922 2ce7589-2ce75b7 call 2cf2f8c call 2cf4ad0 call 2ce439c 914->922 945 2ce7979-2ce79c1 call 2cea6fb 917->945 946 2ce7ae7-2ce7afb call 2ce8fd9 917->946 918->917 919->914 934 2ce7562-2ce7583 call 2ce439c 919->934 920->799 921->920 943 2ce75f8-2ce7601 call 2cf2f54 922->943 944 2ce75b9-2ce75c8 call 2cf35c6 922->944 934->922 955 2ce7738-2ce773b 943->955 956 2ce7607-2ce761f call 2cf3b2c 943->956 944->943 957 2ce75ca 944->957 958 2ce79c7-2ce79ce 945->958 959 2ce7ab1-2ce7ae2 call 2ce83c0 call 2ce33b2 945->959 946->799 955->847 969 2ce762b 956->969 970 2ce7621-2ce7629 call 2ce970d 956->970 962 2ce75cf-2ce75e1 call 2cf2830 957->962 960 2ce79d1-2ce79d6 958->960 959->946 960->960 964 2ce79d8-2ce7a23 call 2cea6fb 960->964 976 2ce75e6-2ce75f6 call 2cf35c6 962->976 977 2ce75e3 962->977 964->959 978 2ce7a29-2ce7a2f 964->978 975 2ce762d-2ce76e5 call 2cea825 call 2ce3863 call 2ce5119 call 2ce3863 call 2ceaacb call 2ceabe5 969->975 970->975 1001 2ce76ec-2ce7717 Sleep call 2cf18d0 975->1001 1002 2ce76e7 call 2ce380b 975->1002 976->943 976->962 977->976 982 2ce7a32-2ce7a37 978->982 982->982 985 2ce7a39-2ce7a74 call 2cea6fb 982->985 985->959 992 2ce7a76-2ce7ab0 call 2ced0ed 985->992 992->959 1006 2ce7719-2ce7722 call 2ce4100 1001->1006 1007 2ce7723-2ce7731 1001->1007 1002->1001 1006->1007 1007->955 1008 2ce7733 call 2ce380b 1007->1008 1008->955
                                                                                                              Strings
                                                                                                              • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02CE6739
                                                                                                              • ntdll.dll, xrefs: 02CE64E1
                                                                                                              • cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d, xrefs: 02CE666F
                                                                                                              • strcat, xrefs: 02CE64DC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$strcat
                                                                                                              • API String ID: 0-3302467957
                                                                                                              • Opcode ID: d7b5d1f7199bd807dc768cf5cc2f260416fe427738deee25504456d064966a21
                                                                                                              • Instruction ID: 37cddf721c726d71f6d681cf83e34565c66570ad0ecb04a6db0479915dfe11a3
                                                                                                              • Opcode Fuzzy Hash: d7b5d1f7199bd807dc768cf5cc2f260416fe427738deee25504456d064966a21
                                                                                                              • Instruction Fuzzy Hash: F1A12371C583509BE354AB34AC49B9BFBF8EF85310F20081EFA859B391DB719805CB92
                                                                                                              Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1038 401f64-401f84 FindResourceA 1039 401f86-401f9d GetLastError SizeofResource 1038->1039 1040 401f9f-401fa1 1038->1040 1039->1040 1041 401fa6-401fec LoadResource LockResource GlobalAlloc call 402900 * 2 1039->1041 1042 402096-40209a 1040->1042 1047 401fee-401ff9 1041->1047 1047->1047 1048 401ffb-402003 GetTickCount 1047->1048 1049 402032-402038 1048->1049 1050 402005-402007 1048->1050 1051 402053-402083 GlobalAlloc call 401c26 1049->1051 1052 40203a-40204a 1049->1052 1050->1051 1053 402009-40200f 1050->1053 1058 402088-402093 1051->1058 1054 40204c 1052->1054 1055 40204e-402051 1052->1055 1053->1051 1057 402011-402023 1053->1057 1054->1055 1055->1051 1055->1052 1059 402025 1057->1059 1060 402027-40202a 1057->1060 1058->1042 1059->1060 1060->1057 1061 40202c-40202e 1060->1061 1061->1053 1062 402030 1061->1062 1062->1051
                                                                                                              APIs
                                                                                                              • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                                                              • GetLastError.KERNEL32 ref: 00401F86
                                                                                                              • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                                                              • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                                                              • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                                                              • GlobalAlloc.KERNELBASE(00000040,00000000), ref: 00401FBF
                                                                                                              • GetTickCount.KERNEL32 ref: 00401FFB
                                                                                                              • GlobalAlloc.KERNELBASE(00000040,?), ref: 00402061
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                                                              • String ID:
                                                                                                              • API String ID: 564119183-0
                                                                                                              • Opcode ID: cf410bcafb83c3e7ab838bb09d8b52e2eecc876fdde86efd7a07cb304e42b138
                                                                                                              • Instruction ID: 5f40b5bb2c798fd06435bc38b1d437300a77b6e6fc54339f6675bf13ecd45336
                                                                                                              • Opcode Fuzzy Hash: cf410bcafb83c3e7ab838bb09d8b52e2eecc876fdde86efd7a07cb304e42b138
                                                                                                              • Instruction Fuzzy Hash: 45314E71A00255AFDB105FB59F8896F7F68EF45344F10807AFE86F7281DA748845C7A8
                                                                                                              Function 00402EB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetVersion.KERNEL32 ref: 00402ED6
                                                                                                                • Part of subcall function 00403FF4: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F0F,00000000), ref: 00404005
                                                                                                                • Part of subcall function 00403FF4: HeapDestroy.KERNEL32 ref: 00404044
                                                                                                              • GetCommandLineA.KERNEL32 ref: 00402F24
                                                                                                              • GetStartupInfoA.KERNEL32(?), ref: 00402F4F
                                                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402F72
                                                                                                                • Part of subcall function 00402FCB: ExitProcess.KERNEL32 ref: 00402FE8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                                              • String ID: Y
                                                                                                              • API String ID: 2057626494-4136946213
                                                                                                              • Opcode ID: bde1f74d60b81ae7252d13bfcbc661632079e5aa7379041ec1857b7291440294
                                                                                                              • Instruction ID: ae24bdd31f92ba5c0019e7eb98566f973638ce5b9b082510a96f2684413349a7
                                                                                                              • Opcode Fuzzy Hash: bde1f74d60b81ae7252d13bfcbc661632079e5aa7379041ec1857b7291440294
                                                                                                              • Instruction Fuzzy Hash: 3721A1B1840615ABDB14AFA6DE4AA6E7FB8EF44705F10413FF501B72D1DB384500CB58
                                                                                                              Function 004024E9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16registryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1170 4024e9-4024ec 1171 40d9fc-40da07 RegQueryValueExA 1170->1171 1172 40d1ad-40d1bc RegCloseKey 1171->1172 1173 40da0d 1171->1173 1174 40d682-40d687 call 402d80 1172->1174 1174->1171
                                                                                                              APIs
                                                                                                              • RegCloseKey.KERNELBASE(?), ref: 0040D1B0
                                                                                                              • RegQueryValueExA.KERNELBASE(?), ref: 0040D9FF
                                                                                                              Strings
                                                                                                              • EMAIL Safe Storage 10.2.45, xrefs: 0040D687
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseQueryValue
                                                                                                              • String ID: EMAIL Safe Storage 10.2.45
                                                                                                              • API String ID: 3356406503-1623804280
                                                                                                              • Opcode ID: c453dc5691cf34d04038e166779bd5b8f77373db65ae843a3ef85714f6330f49
                                                                                                              • Instruction ID: d6000bce723b6a489c792cb5b742f735b7a17e2c6a792b17c45f967721b4e9f6
                                                                                                              • Opcode Fuzzy Hash: c453dc5691cf34d04038e166779bd5b8f77373db65ae843a3ef85714f6330f49
                                                                                                              • Instruction Fuzzy Hash: 9AD05E31D04006EBCB412FE09F1897E7A70BE44340321863BE526B20E0CFBC890ABB5E
                                                                                                              Function 02CE1AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1177 2ce1aa9-2ce1ac3 InterlockedIncrement 1178 2ce1add-2ce1ae0 1177->1178 1179 2ce1ac5-2ce1ad7 WSAStartup InterlockedExchange 1177->1179 1179->1178
                                                                                                              APIs
                                                                                                              • InterlockedIncrement.KERNEL32(02D172AC), ref: 02CE1ABA
                                                                                                              • WSAStartup.WS2_32(00000002,00000000), ref: 02CE1ACB
                                                                                                              • InterlockedExchange.KERNEL32(02D172B0,00000000), ref: 02CE1AD7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Interlocked$ExchangeIncrementStartup
                                                                                                              • String ID:
                                                                                                              • API String ID: 1856147945-0
                                                                                                              • Opcode ID: 3d8468dbef5fbe071fe9e43d8dc978e7f88676907852fc294a11d04b67c602f9
                                                                                                              • Instruction ID: ed4d40c179eca9e21480bb5f7be1fd3d88e7df1f5bba79568d660e54d0b54364
                                                                                                              • Opcode Fuzzy Hash: 3d8468dbef5fbe071fe9e43d8dc978e7f88676907852fc294a11d04b67c602f9
                                                                                                              • Instruction Fuzzy Hash: 4FD05E31D942086BF220A6A0BC4EF78F72CE705615F100751FC6AC56E4EB906E2485A7
                                                                                                              Function 004024F8 Relevance: 4.5, APIs: 3, Instructions: 15timeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1180 4024f8-40d2eb GetCommandLineW CommandLineToArgvW GetLocalTime 1183 40d2f6-40d9bb 1180->1183 1184 40d2f1 call 401f27 1180->1184 1186 40d9c0 1183->1186 1184->1183 1186->1186
                                                                                                              APIs
                                                                                                              • GetCommandLineW.KERNEL32 ref: 0040D0F8
                                                                                                              • CommandLineToArgvW.SHELL32(00000000), ref: 0040D2DC
                                                                                                              • GetLocalTime.KERNEL32(0040C2B8), ref: 0040D2EB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CommandLine$ArgvLocalTime
                                                                                                              • String ID:
                                                                                                              • API String ID: 3768950922-0
                                                                                                              • Opcode ID: df9403f22ccd2ec6266c4ba907bac2b3b72347d2399d4300bd9fb75503481350
                                                                                                              • Instruction ID: 011ec28701dd62c9e67a367d827d1618ee337fc77102086ec8e26fee179af339
                                                                                                              • Opcode Fuzzy Hash: df9403f22ccd2ec6266c4ba907bac2b3b72347d2399d4300bd9fb75503481350
                                                                                                              • Instruction Fuzzy Hash: 88D09EB1C04502EFC7002BE09F4846936A96A4A355B21497FE147F65E0CF7C844FAB6F
                                                                                                              Function 00403FF4 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1187 403ff4-404012 HeapCreate 1188 404014-404021 call 403eac 1187->1188 1189 40404a-40404c 1187->1189 1192 404030-404033 1188->1192 1193 404023-40402e call 4043cb 1188->1193 1195 404035 call 404c1c 1192->1195 1196 40404d-404050 1192->1196 1199 40403a-40403c 1193->1199 1195->1199 1199->1196 1200 40403e-404044 HeapDestroy 1199->1200 1200->1189
                                                                                                              APIs
                                                                                                              • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F0F,00000000), ref: 00404005
                                                                                                                • Part of subcall function 00403EAC: GetVersionExA.KERNEL32 ref: 00403ECB
                                                                                                              • HeapDestroy.KERNEL32 ref: 00404044
                                                                                                                • Part of subcall function 004043CB: HeapAlloc.KERNEL32(00000000,00000140,0040402D,000003F8), ref: 004043D8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Heap$AllocCreateDestroyVersion
                                                                                                              • String ID:
                                                                                                              • API String ID: 2507506473-0
                                                                                                              • Opcode ID: 785e23c1ed37029bd7fa1e4a136f418f238003ec06b3befa2c01f286c825b2ce
                                                                                                              • Instruction ID: b1684c5e0161eeb02f30399066ba6d75b4260e35b9d13e26dc8fbe5d47634710
                                                                                                              • Opcode Fuzzy Hash: 785e23c1ed37029bd7fa1e4a136f418f238003ec06b3befa2c01f286c825b2ce
                                                                                                              • Instruction Fuzzy Hash: F5F092F0656301DAEB301B75AE46B3A39949BC0796F20443BF740F91E1EF7C8481960D
                                                                                                              Function 0040D0D5 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 14stringCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1201 40d0d5-40d0de 1202 40d22a-40d585 lstrcmpiW 1201->1202 1204 40d20a 1202->1204 1205 40d58b 1202->1205 1204->1202
                                                                                                              APIs
                                                                                                              • lstrcmpiW.KERNELBASE(?,/chk), ref: 0040D57D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: lstrcmpi
                                                                                                              • String ID: /chk
                                                                                                              • API String ID: 1586166983-3837807730
                                                                                                              • Opcode ID: 5d87d6210419ad9895a1ff045f78dccd9c56321658a7003b7aa0f27fdd263701
                                                                                                              • Instruction ID: 65ada5d08b9c88bcec5299b20ccb44df377129532ba367c2d1eab3f24b293776
                                                                                                              • Opcode Fuzzy Hash: 5d87d6210419ad9895a1ff045f78dccd9c56321658a7003b7aa0f27fdd263701
                                                                                                              • Instruction Fuzzy Hash: 72D012B4B89301F7DA021B616E089766A246A5A7013318177F8D3B41D292BC8E1E71AF
                                                                                                              Function 0040220F Relevance: 1.6, APIs: 1, Instructions: 86libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LibraryLoad
                                                                                                              • String ID:
                                                                                                              • API String ID: 1029625771-0
                                                                                                              • Opcode ID: de65ffebb5e45f8c89d6134bb41439e92fee9b0387fb17adf8de8fac79ededa1
                                                                                                              • Instruction ID: 5a157b904253e2aa38e5bc5315b778b4e36572fd60bc47e3008f69134bff643d
                                                                                                              • Opcode Fuzzy Hash: de65ffebb5e45f8c89d6134bb41439e92fee9b0387fb17adf8de8fac79ededa1
                                                                                                              • Instruction Fuzzy Hash: AE213B36908151CFCB018FA489987E63BA0FF06340B5445BBD852FF2D2C334C90B9B2A
                                                                                                              Function 02D4F515 Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002D1A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D1A000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2d1a000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 2738559852-0
                                                                                                              • Opcode ID: 0db9b2b557cd5613eff9e2fc17767049abb177c0b8d2042480fa6a81549d1d4b
                                                                                                              • Instruction ID: e73162f1e0b65d7c50a8ba6e998bf3bfc79027b9e85b54f1d5e46542614b9f33
                                                                                                              • Opcode Fuzzy Hash: 0db9b2b557cd5613eff9e2fc17767049abb177c0b8d2042480fa6a81549d1d4b
                                                                                                              • Instruction Fuzzy Hash: 1D110CB211C6049FD7156F29D885779FBE8EF44710F06092DE6C5C7740E6319844CA9B
                                                                                                              Function 00402242 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LibraryLoad
                                                                                                              • String ID:
                                                                                                              • API String ID: 1029625771-0
                                                                                                              • Opcode ID: 9f01f683b5793bfdd03388e14d805ba95b2af20dfdd994b241564db24104f033
                                                                                                              • Instruction ID: 49316b64a20f1148842d91c695407342f7ce4ced52ee533080b11ea2ee1ba635
                                                                                                              • Opcode Fuzzy Hash: 9f01f683b5793bfdd03388e14d805ba95b2af20dfdd994b241564db24104f033
                                                                                                              • Instruction Fuzzy Hash: E5112131645245CFCB02CF28C8997A53BA0FF4634475440AEDC81EF5A2C339C80A8B59
                                                                                                              Function 00402543 Relevance: 1.5, APIs: 1, Instructions: 28registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegCreateKeyExA.KERNELBASE ref: 00402543
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: dfdca24b9bd897c08baa4f922ec5b8869d290b20c681479f2ef2f1c5f81c20d9
                                                                                                              • Instruction ID: e86e5788398ad5ec370c0cd5fab6caf9604394f5e4fcfe059cb09c483f6f9500
                                                                                                              • Opcode Fuzzy Hash: dfdca24b9bd897c08baa4f922ec5b8869d290b20c681479f2ef2f1c5f81c20d9
                                                                                                              • Instruction Fuzzy Hash: DDF0E534C081469BC300CB70FBC49E17BB1A716320B114176D582B62B3D6B8495AEBAE
                                                                                                              Function 004027C4 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close
                                                                                                              • String ID:
                                                                                                              • API String ID: 3535843008-0
                                                                                                              • Opcode ID: 7343344b0f3f811b2f50834a23459993b1102478b7c24b0e827dd04664b3ce84
                                                                                                              • Instruction ID: fd36924f277ccecbc38b62c2d5020ba26e8020c00e9625eafdaa15b6e2997bd1
                                                                                                              • Opcode Fuzzy Hash: 7343344b0f3f811b2f50834a23459993b1102478b7c24b0e827dd04664b3ce84
                                                                                                              • Instruction Fuzzy Hash: 08E0DF398081419BC300CB60FBD48D07BA2A20B2203114275D582A2773D5B80816EB9D
                                                                                                              Function 00402142 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CopyFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 1304948518-0
                                                                                                              • Opcode ID: e12ded132738abcfd030b4a3a4465a7dccca6a1948b07443f6c4f4e8c7b6a47a
                                                                                                              • Instruction ID: 8713062e66c69ad817040acfd762f229057449ed7e959b68f19058926f521a4b
                                                                                                              • Opcode Fuzzy Hash: e12ded132738abcfd030b4a3a4465a7dccca6a1948b07443f6c4f4e8c7b6a47a
                                                                                                              • Instruction Fuzzy Hash: A6D0A774D0911597C510A5D44E9ABBB229C8F18B45F5440BBBD0BF70C3D5BC894E661F
                                                                                                              Function 00402895 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateDirectoryA.KERNELBASE ref: 00402895
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateDirectory
                                                                                                              • String ID:
                                                                                                              • API String ID: 4241100979-0
                                                                                                              • Opcode ID: 53b263b84087b888d10e9121f13be7e93085db02dec439fe76a650f5b33dd836
                                                                                                              • Instruction ID: 5e6bdcf00e57100679fd93b4ef24118f771bdb45b6db3fa20512e41e88f9a14d
                                                                                                              • Opcode Fuzzy Hash: 53b263b84087b888d10e9121f13be7e93085db02dec439fe76a650f5b33dd836
                                                                                                              • Instruction Fuzzy Hash: 3DB09264886411B2C20222900E09E5E24282E5A789320403AB146700D249BC040B16BE
                                                                                                              Function 004022BD Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegSetValueExA.KERNELBASE(?), ref: 0040D3AF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Value
                                                                                                              • String ID:
                                                                                                              • API String ID: 3702945584-0
                                                                                                              • Opcode ID: 7b51cb39dad9631a3a2c649abcde9e444e019fb342e61587e6f89a635112c54b
                                                                                                              • Instruction ID: fd34fe6e0176ced8f9d47b5ed6fcc6259839a580a3f12868a294aa6379cd7340
                                                                                                              • Opcode Fuzzy Hash: 7b51cb39dad9631a3a2c649abcde9e444e019fb342e61587e6f89a635112c54b
                                                                                                              • Instruction Fuzzy Hash: 97B09B30C04004FACB051BD05914D7D7739AF043407304469F013700D0873A55157A2F
                                                                                                              Function 0040D2BF Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ManagerOpen
                                                                                                              • String ID:
                                                                                                              • API String ID: 1889721586-0
                                                                                                              • Opcode ID: cb694429d39c5a9f3b675ab8e0488e58b83ed0a0816561fb89a142687fd7085f
                                                                                                              • Instruction ID: 3925f9e93ca265ada93c5b8fa2daf20f6d682a735e3dcc9cc72d8ada4525c891
                                                                                                              • Opcode Fuzzy Hash: cb694429d39c5a9f3b675ab8e0488e58b83ed0a0816561fb89a142687fd7085f
                                                                                                              • Instruction Fuzzy Hash: 1CB0125050C412DEC1C01A800FE8436248E054032E33000369303B00E08538004FF43F
                                                                                                              Function 0040D78F Relevance: 1.5, APIs: 1, Instructions: 4registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExA.KERNELBASE(80000002), ref: 0040D794
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Open
                                                                                                              • String ID:
                                                                                                              • API String ID: 71445658-0
                                                                                                              • Opcode ID: 6d57cfa68ba0ecfe0fdf2df9d1d64c2eb37b6f3bbf1813602ec709fa210ff96e
                                                                                                              • Instruction ID: 42bddc219cc8874ff969bda0413d02cab278e5bb267827c2d7325db7d644edd4
                                                                                                              • Opcode Fuzzy Hash: 6d57cfa68ba0ecfe0fdf2df9d1d64c2eb37b6f3bbf1813602ec709fa210ff96e
                                                                                                              • Instruction Fuzzy Hash: 07A00220204111EBF2041BB35F0D7256658AB04645F21457D5947F0591DA788055993A
                                                                                                              Function 02D29483 Relevance: 1.4, APIs: 1, Instructions: 103sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002D1A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D1A000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2d1a000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Sleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 3472027048-0
                                                                                                              • Opcode ID: 5df6e002e607bc2d9f76cfff25ff32c9db55bd21a0ccb85c4409d83af637af31
                                                                                                              • Instruction ID: 168626cb2ae2b5c282a602598a50b8a44c828ce68677a5226784d097a60d46b6
                                                                                                              • Opcode Fuzzy Hash: 5df6e002e607bc2d9f76cfff25ff32c9db55bd21a0ccb85c4409d83af637af31
                                                                                                              • Instruction Fuzzy Hash: E2316FB290D610AFE3056E58DC81BBAB7E8EF58761F06492EE6C5D3300D6359C40C696
                                                                                                              Function 0040D3BD Relevance: 1.3, APIs: 1, Instructions: 3sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Sleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 3472027048-0
                                                                                                              • Opcode ID: bd5a7ec3f458db699173374b7c71c3553babedfa97ff54e438253782c4b5d85f
                                                                                                              • Instruction ID: 9cee021bcf4e27d3115748f719a68c23cb17412333841ab19a4688fb7ce3a5c7
                                                                                                              • Opcode Fuzzy Hash: bd5a7ec3f458db699173374b7c71c3553babedfa97ff54e438253782c4b5d85f
                                                                                                              • Instruction Fuzzy Hash: A2900231948900A6D20046A06B09B2435107305701F15013A6642680D04D75004A560A

                                                                                                              Non-executed Functions

                                                                                                              Function 02CF08A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 02CE9AAF: __EH_prolog.LIBCMT ref: 02CE9AB4
                                                                                                                • Part of subcall function 02CE9AAF: _Allocate.LIBCPMT ref: 02CE9B0B
                                                                                                                • Part of subcall function 02CE9AAF: _memmove.LIBCMT ref: 02CE9B62
                                                                                                              • _memset.LIBCMT ref: 02CF0919
                                                                                                              • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02CF0982
                                                                                                              • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02CF098A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
                                                                                                              • String ID: Unknown error$invalid string position
                                                                                                              • API String ID: 1854462395-1837348584
                                                                                                              • Opcode ID: 0c6f040a4249da92e170c4d322ac56e7e1fa422dc8bc37f7673fb04201bf9e68
                                                                                                              • Instruction ID: 7e8ecd787e723a944a511967cb956fc6191de95eec20da2dd66f32f96d95c65c
                                                                                                              • Opcode Fuzzy Hash: 0c6f040a4249da92e170c4d322ac56e7e1fa422dc8bc37f7673fb04201bf9e68
                                                                                                              • Instruction Fuzzy Hash: 5151D070648341DFEB94CF25C890B2FBBE4AB98748F50092DF582976A2D771E648CF52
                                                                                                              Function 00402722 Relevance: 6.0, APIs: 4, Instructions: 26serviceCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,000F01FF,00000010,00000002,00000001), ref: 004028AD
                                                                                                              • CreateServiceA.ADVAPI32(?,?,?,000F01FF,00000010,00000002,00000001), ref: 0040D5DF
                                                                                                              • CloseServiceHandle.ADVAPI32(?,?,?,?,000F01FF,00000010,00000002,00000001), ref: 0040D5F0
                                                                                                              • CloseServiceHandle.ADVAPI32(?), ref: 0040D84D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Service$CloseHandle$Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2095555506-0
                                                                                                              • Opcode ID: fe6ff647c375c5874c2526eba402aa9e3cf6546ba16447b360cc22d777ce7a52
                                                                                                              • Instruction ID: 0ea2cee4d3e7bf806c62b432b0cc9af610ddf5b34eb13ffec14521d9c0061c0d
                                                                                                              • Opcode Fuzzy Hash: fe6ff647c375c5874c2526eba402aa9e3cf6546ba16447b360cc22d777ce7a52
                                                                                                              • Instruction Fuzzy Hash: 98E04F31A88104F6DE303B905F4EF6A3D39AB40720F21807BF246750D18AF99D4AB96E
                                                                                                              Function 02CF9508 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02CF4E76,?,?,?,00000001), ref: 02CF950D
                                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02CF9516
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                              • String ID:
                                                                                                              • API String ID: 3192549508-0
                                                                                                              • Opcode ID: a5e7f710bafd7c073c7240c03dc2c23f9f5be2accb86172c8f7f7caa4deadc8b
                                                                                                              • Instruction ID: ae86c17069f2a65df9808fa51bd7d8a95892ae846ed1cfe1ca85d930098037a3
                                                                                                              • Opcode Fuzzy Hash: a5e7f710bafd7c073c7240c03dc2c23f9f5be2accb86172c8f7f7caa4deadc8b
                                                                                                              • Instruction Fuzzy Hash: 47B09231484208EBEB012B91EC49F89BF38EB04662F104A10F60D492688B6268609AA1
                                                                                                              Function 0040219D Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • StartServiceCtrlDispatcherA.ADVAPI32 ref: 00402346
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CtrlDispatcherServiceStart
                                                                                                              • String ID:
                                                                                                              • API String ID: 3789849863-0
                                                                                                              • Opcode ID: 6975d3c615577038bce8cfac08c001ff68e6216eef4aeecf5a460573a71f5016
                                                                                                              • Instruction ID: 48966d1d1a20c7a6c50e8149ef70f1575b100bbc90cb1114d033244cefa922d3
                                                                                                              • Opcode Fuzzy Hash: 6975d3c615577038bce8cfac08c001ff68e6216eef4aeecf5a460573a71f5016
                                                                                                              • Instruction Fuzzy Hash: F3A0027000C501DAC1001BA05F4E875292DB65F3667215476594FB40E18BBC104BAD3F
                                                                                                              Function 02CE1CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02CE1D11
                                                                                                              • GetLastError.KERNEL32 ref: 02CE1D23
                                                                                                                • Part of subcall function 02CE1712: __EH_prolog.LIBCMT ref: 02CE1717
                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02CE1D59
                                                                                                              • GetLastError.KERNEL32 ref: 02CE1D6B
                                                                                                              • __beginthreadex.LIBCMT ref: 02CE1DB1
                                                                                                              • GetLastError.KERNEL32 ref: 02CE1DC6
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CE1DDD
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CE1DEC
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02CE1E14
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CE1E1B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                                                              • String ID: thread$thread.entry_event$thread.exit_event
                                                                                                              • API String ID: 831262434-3017686385
                                                                                                              • Opcode ID: a64c94d765c994757003109604d68dc7baf8b73c74ed54f04a75f759bed340c4
                                                                                                              • Instruction ID: c51f129cd611170cd5cb1f26916d9f7ff029c24f4b9acf6200cde86d5f71bff3
                                                                                                              • Opcode Fuzzy Hash: a64c94d765c994757003109604d68dc7baf8b73c74ed54f04a75f759bed340c4
                                                                                                              • Instruction Fuzzy Hash: 5C3182719403019FDB00EF24C888B2BBBA5FB84714F144A5DF95A8B395DBB09D55CF92
                                                                                                              Function 02CE24E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE24E6
                                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02CE24FC
                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02CE250E
                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02CE256D
                                                                                                              • SetLastError.KERNEL32(00000000,?,76E1DFB0), ref: 02CE257F
                                                                                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,76E1DFB0), ref: 02CE2599
                                                                                                              • GetLastError.KERNEL32(?,76E1DFB0), ref: 02CE25A2
                                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02CE25F0
                                                                                                              • InterlockedDecrement.KERNEL32(00000002), ref: 02CE262F
                                                                                                              • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02CE268E
                                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CE2699
                                                                                                              • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02CE26AD
                                                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,76E1DFB0), ref: 02CE26BD
                                                                                                              • GetLastError.KERNEL32(?,76E1DFB0), ref: 02CE26C7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                                                              • String ID:
                                                                                                              • API String ID: 1213838671-0
                                                                                                              • Opcode ID: da0b083c351a01f9dbb040eca13fb8b3eb177aebd8439d8ff8a9ec62e447e0b5
                                                                                                              • Instruction ID: 45b2699167acaa3260cf93540b899a26db9eb92a517ecdb5e8e157a949134300
                                                                                                              • Opcode Fuzzy Hash: da0b083c351a01f9dbb040eca13fb8b3eb177aebd8439d8ff8a9ec62e447e0b5
                                                                                                              • Instruction Fuzzy Hash: DA613DB1940209AFDB11DFA4D984FAEBBBDFF48310F104629E906E7250D770AA14CF61
                                                                                                              Function 02CE4603 Relevance: 19.9, APIs: 13, Instructions: 442networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE4608
                                                                                                                • Part of subcall function 02CF3B2C: _malloc.LIBCMT ref: 02CF3B44
                                                                                                              • htons.WS2_32(?), ref: 02CE4669
                                                                                                              • htonl.WS2_32(?), ref: 02CE468C
                                                                                                              • htonl.WS2_32(00000000), ref: 02CE4693
                                                                                                              • htons.WS2_32(00000000), ref: 02CE4747
                                                                                                              • _sprintf.LIBCMT ref: 02CE475D
                                                                                                                • Part of subcall function 02CE8962: _memmove.LIBCMT ref: 02CE8982
                                                                                                              • htons.WS2_32(?), ref: 02CE46B0
                                                                                                                • Part of subcall function 02CE970D: __EH_prolog.LIBCMT ref: 02CE9712
                                                                                                                • Part of subcall function 02CE970D: RtlEnterCriticalSection.NTDLL(00000020), ref: 02CE978D
                                                                                                                • Part of subcall function 02CE970D: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02CE97AB
                                                                                                                • Part of subcall function 02CE1BA7: __EH_prolog.LIBCMT ref: 02CE1BAC
                                                                                                                • Part of subcall function 02CE1BA7: RtlEnterCriticalSection.NTDLL ref: 02CE1BBC
                                                                                                                • Part of subcall function 02CE1BA7: RtlLeaveCriticalSection.NTDLL ref: 02CE1BEA
                                                                                                                • Part of subcall function 02CE1BA7: RtlEnterCriticalSection.NTDLL ref: 02CE1C13
                                                                                                                • Part of subcall function 02CE1BA7: RtlLeaveCriticalSection.NTDLL ref: 02CE1C56
                                                                                                                • Part of subcall function 02CEDEC9: __EH_prolog.LIBCMT ref: 02CEDECE
                                                                                                              • htonl.WS2_32(?), ref: 02CE497C
                                                                                                              • htonl.WS2_32(00000000), ref: 02CE4983
                                                                                                              • htonl.WS2_32(00000000), ref: 02CE49C8
                                                                                                              • htonl.WS2_32(00000000), ref: 02CE49CF
                                                                                                              • htons.WS2_32(?), ref: 02CE49EF
                                                                                                              • htons.WS2_32(?), ref: 02CE49F9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                                                              • String ID:
                                                                                                              • API String ID: 1645262487-0
                                                                                                              • Opcode ID: 3bea359fc1ed85237162bdb9de1d5b3c2305e8f80d477df99f0e8a7caa2592fd
                                                                                                              • Instruction ID: c451d8993e9576e433b07b0ca13d5b43c06b8a5d31d390dd6f47b8d3069bc626
                                                                                                              • Opcode Fuzzy Hash: 3bea359fc1ed85237162bdb9de1d5b3c2305e8f80d477df99f0e8a7caa2592fd
                                                                                                              • Instruction Fuzzy Hash: 06024C71D00259EEEF25DFA4D844BEEBBB9AF08304F10415AE506B7290DB746A48DFA1
                                                                                                              Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegisterServiceCtrlHandlerA.ADVAPI32(EMAIL Safe Storage 10.2.45,Function_0000235E), ref: 004023C1
                                                                                                              • SetServiceStatus.ADVAPI32(0040C408), ref: 00402420
                                                                                                              • GetLastError.KERNEL32 ref: 00402422
                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                                                              • GetLastError.KERNEL32 ref: 00402450
                                                                                                              • SetServiceStatus.ADVAPI32(0040C408), ref: 00402480
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                                                              • CloseHandle.KERNEL32 ref: 004024A1
                                                                                                              • SetServiceStatus.ADVAPI32(0040C408), ref: 004024CA
                                                                                                              Strings
                                                                                                              • EMAIL Safe Storage 10.2.45, xrefs: 004023BC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                                                              • String ID: EMAIL Safe Storage 10.2.45
                                                                                                              • API String ID: 3346042915-1623804280
                                                                                                              • Opcode ID: 8481bbef3285b0f9ebce9f82f4e1eb68b4ac82d1f0eae4c5cd12d91383da07eb
                                                                                                              • Instruction ID: b8fe7bda3a7dcfcb82ad829e681adc6a99cb3bee06a9baca5ac2dc3afb04543b
                                                                                                              • Opcode Fuzzy Hash: 8481bbef3285b0f9ebce9f82f4e1eb68b4ac82d1f0eae4c5cd12d91383da07eb
                                                                                                              • Instruction Fuzzy Hash: E121C570441214EBC2105F16EFE9A267FA8FBD5794711823EE544B22B2CBB90549CFAD
                                                                                                              Function 02CF8312 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlDecodePointer.NTDLL(?), ref: 02CF831A
                                                                                                              • _free.LIBCMT ref: 02CF8333
                                                                                                                • Part of subcall function 02CF2F54: HeapFree.KERNEL32(00000000,00000000,?,02CF5CB2,00000000,00000104,76E20A60), ref: 02CF2F68
                                                                                                                • Part of subcall function 02CF2F54: GetLastError.KERNEL32(00000000,?,02CF5CB2,00000000,00000104,76E20A60), ref: 02CF2F7A
                                                                                                              • _free.LIBCMT ref: 02CF8346
                                                                                                              • _free.LIBCMT ref: 02CF8364
                                                                                                              • _free.LIBCMT ref: 02CF8376
                                                                                                              • _free.LIBCMT ref: 02CF8387
                                                                                                              • _free.LIBCMT ref: 02CF8392
                                                                                                              • _free.LIBCMT ref: 02CF83B6
                                                                                                              • RtlEncodePointer.NTDLL(00879E38), ref: 02CF83BD
                                                                                                              • _free.LIBCMT ref: 02CF83D2
                                                                                                              • _free.LIBCMT ref: 02CF83E8
                                                                                                              • _free.LIBCMT ref: 02CF8410
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 3064303923-0
                                                                                                              • Opcode ID: dd79f51a6ba9088f8749e0c393ba5ab4d48763b73c16d9dd6238349ce2de1a31
                                                                                                              • Instruction ID: e992d427e6a310078e0c74108009a46da0b7a4933978d8d362ffeac4fee03fc3
                                                                                                              • Opcode Fuzzy Hash: dd79f51a6ba9088f8749e0c393ba5ab4d48763b73c16d9dd6238349ce2de1a31
                                                                                                              • Instruction Fuzzy Hash: 7821B132D41220EBDBE5AF54F8815057B69B74432032A0A69EA0C97790CB31DD6FDFD5
                                                                                                              Function 02CE4D86 Relevance: 16.8, APIs: 11, Instructions: 256COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE4D8B
                                                                                                              • RtlEnterCriticalSection.NTDLL(02D171E0), ref: 02CE4DB7
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02D171E0), ref: 02CE4DC3
                                                                                                                • Part of subcall function 02CE4BED: __EH_prolog.LIBCMT ref: 02CE4BF2
                                                                                                                • Part of subcall function 02CE4BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02CE4CF2
                                                                                                              • RtlEnterCriticalSection.NTDLL(02D171E0), ref: 02CE4E93
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02D171E0), ref: 02CE4E99
                                                                                                              • RtlEnterCriticalSection.NTDLL(02D171E0), ref: 02CE4EA0
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02D171E0), ref: 02CE4EA6
                                                                                                              • RtlEnterCriticalSection.NTDLL(02D171E0), ref: 02CE50A7
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02D171E0), ref: 02CE50AD
                                                                                                              • RtlEnterCriticalSection.NTDLL(02D171E0), ref: 02CE50B8
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02D171E0), ref: 02CE50C1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                                              • String ID:
                                                                                                              • API String ID: 2062355503-0
                                                                                                              • Opcode ID: dda8615bcbd92efef39ada8fcbe4c441efe12a5cafa700d53e4d795f16ed478e
                                                                                                              • Instruction ID: 60eb086890b69e1fb4642eff8abb0905a024be89bb9e16a670fbdfbe2904da28
                                                                                                              • Opcode Fuzzy Hash: dda8615bcbd92efef39ada8fcbe4c441efe12a5cafa700d53e4d795f16ed478e
                                                                                                              • Instruction Fuzzy Hash: CAB14B71D0025DDFEF25DF90D884BEEBBB5AF04314F20419AE40667290DBB45A49DFA2
                                                                                                              Function 00403BA2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403BBD
                                                                                                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403BD1
                                                                                                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403BFD
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F34), ref: 00403C35
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F34), ref: 00403C57
                                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402F34), ref: 00403C70
                                                                                                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403C83
                                                                                                              • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403CC1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                                              • String ID: 4/@
                                                                                                              • API String ID: 1823725401-3101945251
                                                                                                              • Opcode ID: aff10945ecf90bbee9edc284fe0c12867232451494807f8f70b2732d2a40bc2d
                                                                                                              • Instruction ID: a2970ceca2a6c3f976dc545d3d2173026391ae6ff2d108e1c7f08cdddd2a955e
                                                                                                              • Opcode Fuzzy Hash: aff10945ecf90bbee9edc284fe0c12867232451494807f8f70b2732d2a40bc2d
                                                                                                              • Instruction Fuzzy Hash: AD31F27350C1245EE7202F785DC883B7E9CEA4534A711093FF942F3380EA798E81466D
                                                                                                              Function 02CE3423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE3428
                                                                                                              • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02CE346B
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02CE3472
                                                                                                              • GetLastError.KERNEL32 ref: 02CE3486
                                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02CE34D7
                                                                                                              • RtlEnterCriticalSection.NTDLL(00000018), ref: 02CE34ED
                                                                                                              • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02CE3518
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                                                              • String ID: CancelIoEx$KERNEL32
                                                                                                              • API String ID: 2902213904-434325024
                                                                                                              • Opcode ID: 4bd5a5a9be39203fb129232786ac0f85241166babdc97e0a27f6206427dbdbe6
                                                                                                              • Instruction ID: 5ba9ce546c03830376ae09f40e8d03187f653578f2ae041d6a9dbb058ffb8889
                                                                                                              • Opcode Fuzzy Hash: 4bd5a5a9be39203fb129232786ac0f85241166babdc97e0a27f6206427dbdbe6
                                                                                                              • Instruction Fuzzy Hash: 42319EB1900345DFEB019F68C884BBABBF9FF88311F104599E9069B355D7B0A911CFA1
                                                                                                              Function 00406578 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00404381,?,Microsoft Visual C++ Runtime Library,00012010,?,0040858C,?,004085DC,?,?,?,Runtime Error!Program: ), ref: 0040658A
                                                                                                              • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004065A2
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004065B3
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004065C0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$LibraryLoad
                                                                                                              • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                                              • API String ID: 2238633743-4044615076
                                                                                                              • Opcode ID: 987b992b6f5bbeab899bec9017d6b859524fa9c80776c30a59c8d29f16b735e1
                                                                                                              • Instruction ID: 34c45dea863b0ad37b671b2ee6745cf1fa65c172ae9c71c573f5c1b511995102
                                                                                                              • Opcode Fuzzy Hash: 987b992b6f5bbeab899bec9017d6b859524fa9c80776c30a59c8d29f16b735e1
                                                                                                              • Instruction Fuzzy Hash: FA017571A40201FFCB209FB5BFC492B3AE99B58690306193FB541F2291DE79C815DB68
                                                                                                              Function 00406857 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LCMapStringW.KERNEL32(00000000,00000100,00408658,00000001,00000000,00000000,00000103,00000001,00000000,?,00406317,00200020,00000000,?,00000000,00000000), ref: 00406899
                                                                                                              • LCMapStringA.KERNEL32(00000000,00000100,00408654,00000001,00000000,00000000,?,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 004068B5
                                                                                                              • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00406317,?,00000103,00000001,00000000,?,00406317,00200020,00000000,?,00000000,00000000), ref: 004068FE
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00406317,00200020,00000000,?,00000000,00000000), ref: 00406936
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00406317,00200020,00000000,?,00000000), ref: 0040698E
                                                                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00406317,00200020,00000000,?,00000000), ref: 004069A4
                                                                                                              • LCMapStringW.KERNEL32(00000000,?,00406317,00000000,00406317,?,?,00406317,00200020,00000000,?,00000000), ref: 004069D7
                                                                                                              • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00406317,00200020,00000000,?,00000000), ref: 00406A3F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: String$ByteCharMultiWide
                                                                                                              • String ID:
                                                                                                              • API String ID: 352835431-0
                                                                                                              • Opcode ID: e9f64dd7570e4df949ea1626fd4153753d4334a99172a5ae067b945d03b43c58
                                                                                                              • Instruction ID: 8dbeb6cb8c932cbdef2775d2a29e2de0fc7c35b208bd80b0a47b5516e3ba15ce
                                                                                                              • Opcode Fuzzy Hash: e9f64dd7570e4df949ea1626fd4153753d4334a99172a5ae067b945d03b43c58
                                                                                                              • Instruction Fuzzy Hash: 3E518A71500209EBCF219F94CD45AAF7BB5FB49714F12413AF912B12A0C73A8C21DB69
                                                                                                              Function 0040425D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 004042CA
                                                                                                              • GetStdHandle.KERNEL32(000000F4,0040858C,00000000,?,00000000,00000000), ref: 004043A0
                                                                                                              • WriteFile.KERNEL32(00000000), ref: 004043A7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$HandleModuleNameWrite
                                                                                                              • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                              • API String ID: 3784150691-4022980321
                                                                                                              • Opcode ID: 4bb15c7821e3b7df3b39c29bb8507035fb8a1658cdd6742b24a8a426161d7798
                                                                                                              • Instruction ID: ad501088bf1d437e3d5a217a77e101a13ac7783d72fc0021c8d9dd27a33d1b06
                                                                                                              • Opcode Fuzzy Hash: 4bb15c7821e3b7df3b39c29bb8507035fb8a1658cdd6742b24a8a426161d7798
                                                                                                              • Instruction Fuzzy Hash: 52318772600218AFDF2096608E45FDA736DAF85304F1004BFF944B61D1EA789D458A5D
                                                                                                              Function 02CF15F0 Relevance: 10.6, APIs: 7, Instructions: 132COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenEventA.KERNEL32(00100002,00000000,00000000,8C8CC0CD), ref: 02CF1690
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CF16A5
                                                                                                              • ResetEvent.KERNEL32(00000000,8C8CC0CD), ref: 02CF16AF
                                                                                                              • CloseHandle.KERNEL32(00000000,8C8CC0CD), ref: 02CF16E4
                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,8C8CC0CD), ref: 02CF175A
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CF176F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseEventHandle$CreateOpenReset
                                                                                                              • String ID:
                                                                                                              • API String ID: 1285874450-0
                                                                                                              • Opcode ID: 172de69fe06cd0dda310547c6304c4f3f6a5bd414d4ddd57e259dbb3f45ffda9
                                                                                                              • Instruction ID: 9adb25895c6c54b61368a0a399bf9cd08887f5d86cdd29780be86eef196c4379
                                                                                                              • Opcode Fuzzy Hash: 172de69fe06cd0dda310547c6304c4f3f6a5bd414d4ddd57e259dbb3f45ffda9
                                                                                                              • Instruction Fuzzy Hash: D3413F70D04358EBDF90CFA5C884B9DB7B8EF45724F184219E51CAB380D7719A05CB91
                                                                                                              Function 02CE2081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02CE20AC
                                                                                                              • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02CE20CD
                                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CE20D8
                                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 02CE213E
                                                                                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02CE217A
                                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 02CE2187
                                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CE21A6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                                                              • String ID:
                                                                                                              • API String ID: 1171374749-0
                                                                                                              • Opcode ID: e7450c19d4c60c2082e45e0ff3ac4171fadff3da87fbfd64085b537992545e53
                                                                                                              • Instruction ID: dc0f33358f88c5f217d36cd3f355b8bae2073d5cbdff085d1966fd89959293d4
                                                                                                              • Opcode Fuzzy Hash: e7450c19d4c60c2082e45e0ff3ac4171fadff3da87fbfd64085b537992545e53
                                                                                                              • Instruction Fuzzy Hash: 694139715047019FD721DF25D884A6BBBF9FFC8654F104A1EF89A82250D730EA09CFA2
                                                                                                              Function 02CF1702 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 02CF1EB0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02CF170E,?,?), ref: 02CF1EDF
                                                                                                                • Part of subcall function 02CF1EB0: CloseHandle.KERNEL32(00000000,?,?,02CF170E,?,?), ref: 02CF1EF4
                                                                                                                • Part of subcall function 02CF1EB0: SetEvent.KERNEL32(00000000,02CF170E,?,?), ref: 02CF1F07
                                                                                                              • OpenEventA.KERNEL32(00100002,00000000,00000000,8C8CC0CD), ref: 02CF1690
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CF16A5
                                                                                                              • ResetEvent.KERNEL32(00000000,8C8CC0CD), ref: 02CF16AF
                                                                                                              • CloseHandle.KERNEL32(00000000,8C8CC0CD), ref: 02CF16E4
                                                                                                              • __CxxThrowException@8.LIBCMT ref: 02CF1715
                                                                                                                • Part of subcall function 02CF453A: RaiseException.KERNEL32(?,?,02CEFB35,?,?,?,?,?,?,?,02CEFB35,?,02D10F98,?), ref: 02CF458F
                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,8C8CC0CD), ref: 02CF175A
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CF176F
                                                                                                                • Part of subcall function 02CF1BF0: GetCurrentProcessId.KERNEL32(?), ref: 02CF1C49
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,8C8CC0CD), ref: 02CF177F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 2227236058-0
                                                                                                              • Opcode ID: 4f2af0349c1cdee796caec5430ddcc9b6ed0332f2eaeb548371cb55fcf66144e
                                                                                                              • Instruction ID: 45654c1e37cce56a8ed9f5b5dd2556a59b90522a1115b055b01c6756bd501576
                                                                                                              • Opcode Fuzzy Hash: 4f2af0349c1cdee796caec5430ddcc9b6ed0332f2eaeb548371cb55fcf66144e
                                                                                                              • Instruction Fuzzy Hash: 93314F71D00309DBDFA4DBE49844BADB7B9AF45314F180219EA1CEB280D7A19A058B51
                                                                                                              Function 02CE26DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02CE2706
                                                                                                              • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02CE272B
                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02D05B33), ref: 02CE2738
                                                                                                                • Part of subcall function 02CE1712: __EH_prolog.LIBCMT ref: 02CE1717
                                                                                                              • SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02CE2778
                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02CE27D9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                                              • String ID: timer
                                                                                                              • API String ID: 4293676635-1792073242
                                                                                                              • Opcode ID: 9cae5147333bc2d321e4c0528ec9b425ed64015e0f6e3792b94b885e45ffd70a
                                                                                                              • Instruction ID: a83102a60f19fd5dd098104beacd4ef872ae9c91d49e69687470950b60a403fa
                                                                                                              • Opcode Fuzzy Hash: 9cae5147333bc2d321e4c0528ec9b425ed64015e0f6e3792b94b885e45ffd70a
                                                                                                              • Instruction Fuzzy Hash: 5831EEB1804741AFE710DF25C985B16BBE8FB48720F004A2EF95687680D770ED10CFA2
                                                                                                              Function 02CF5D74 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __init_pointers.LIBCMT ref: 02CF5D74
                                                                                                                • Part of subcall function 02CF84E2: RtlEncodePointer.NTDLL(00000000), ref: 02CF84E5
                                                                                                                • Part of subcall function 02CF84E2: __initp_misc_winsig.LIBCMT ref: 02CF8500
                                                                                                                • Part of subcall function 02CF84E2: GetModuleHandleW.KERNEL32(kernel32.dll,?,02D11598,00000008,00000003,02D10F7C,?,00000001), ref: 02CF9261
                                                                                                                • Part of subcall function 02CF84E2: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02CF9275
                                                                                                                • Part of subcall function 02CF84E2: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02CF9288
                                                                                                                • Part of subcall function 02CF84E2: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02CF929B
                                                                                                                • Part of subcall function 02CF84E2: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02CF92AE
                                                                                                                • Part of subcall function 02CF84E2: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02CF92C1
                                                                                                                • Part of subcall function 02CF84E2: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02CF92D4
                                                                                                                • Part of subcall function 02CF84E2: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02CF92E7
                                                                                                                • Part of subcall function 02CF84E2: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02CF92FA
                                                                                                                • Part of subcall function 02CF84E2: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02CF930D
                                                                                                                • Part of subcall function 02CF84E2: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02CF9320
                                                                                                                • Part of subcall function 02CF84E2: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02CF9333
                                                                                                                • Part of subcall function 02CF84E2: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02CF9346
                                                                                                                • Part of subcall function 02CF84E2: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02CF9359
                                                                                                                • Part of subcall function 02CF84E2: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02CF936C
                                                                                                                • Part of subcall function 02CF84E2: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02CF937F
                                                                                                              • __mtinitlocks.LIBCMT ref: 02CF5D79
                                                                                                              • __mtterm.LIBCMT ref: 02CF5D82
                                                                                                                • Part of subcall function 02CF5DEA: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02CF8918
                                                                                                                • Part of subcall function 02CF5DEA: _free.LIBCMT ref: 02CF891F
                                                                                                                • Part of subcall function 02CF5DEA: RtlDeleteCriticalSection.NTDLL(02D13978), ref: 02CF8941
                                                                                                              • __calloc_crt.LIBCMT ref: 02CF5DA7
                                                                                                              • __initptd.LIBCMT ref: 02CF5DC9
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 02CF5DD0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 3567560977-0
                                                                                                              • Opcode ID: 732f57f24e3b729417d013cae3624986e00adc9ec99099c7c008b7a34d0624a8
                                                                                                              • Instruction ID: be2d6364041ab15be5f35c00a18d41fad5a2be7cc554bedad0a01a8dd11f8989
                                                                                                              • Opcode Fuzzy Hash: 732f57f24e3b729417d013cae3624986e00adc9ec99099c7c008b7a34d0624a8
                                                                                                              • Instruction Fuzzy Hash: F1F0F03364A7111BF6E836B87D0D38A2B8ADB01BB0B600729E714C51C0FF20C8026950
                                                                                                              Function 02CF34A1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 02CF34BB
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02CF34C2
                                                                                                              • RtlEncodePointer.NTDLL(00000000), ref: 02CF34CE
                                                                                                              • RtlDecodePointer.NTDLL(00000001), ref: 02CF34EB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                              • String ID: RoInitialize$combase.dll
                                                                                                              • API String ID: 3489934621-340411864
                                                                                                              • Opcode ID: d770465b4ff832960a06d8798fa35a772705ecb770c13d10b374caad68b15e62
                                                                                                              • Instruction ID: f313b1584a3675976a3414f522f0dedefeab043924fd51a20bc77485f68acfef
                                                                                                              • Opcode Fuzzy Hash: d770465b4ff832960a06d8798fa35a772705ecb770c13d10b374caad68b15e62
                                                                                                              • Instruction Fuzzy Hash: 52E0ED70ED0380BAFA501B70EC8DB053B69B740702F205968B506D53E8D7B5AD659F60
                                                                                                              Function 02CF3576 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02CF3490), ref: 02CF3590
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02CF3597
                                                                                                              • RtlEncodePointer.NTDLL(00000000), ref: 02CF35A2
                                                                                                              • RtlDecodePointer.NTDLL(02CF3490), ref: 02CF35BD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                              • String ID: RoUninitialize$combase.dll
                                                                                                              • API String ID: 3489934621-2819208100
                                                                                                              • Opcode ID: c99e7356e1106e14c00110ac533169b6435f1b296ef2d1461bacd596c7e0ed4a
                                                                                                              • Instruction ID: 25ae267334c745d5ef26fea7f80ddcc6d72ebad9bb77e60919e077197456efe9
                                                                                                              • Opcode Fuzzy Hash: c99e7356e1106e14c00110ac533169b6435f1b296ef2d1461bacd596c7e0ed4a
                                                                                                              • Instruction Fuzzy Hash: B7E01A70DC1340BAFA504B60AD4EB093769B740705F205C54B202D53E8C7B0AD24CA50
                                                                                                              Function 02CF1F10 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • TlsGetValue.KERNEL32(FFFFFFFF,8C8CC0CD,?,?,?,?,00000000,02D06A98,000000FF,02CF21AA), ref: 02CF1F4A
                                                                                                              • TlsSetValue.KERNEL32(FFFFFFFF,02CF21AA,?,?,00000000), ref: 02CF1FB7
                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02CF1FE1
                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02CF1FE4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: HeapValue$FreeProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1812714009-0
                                                                                                              • Opcode ID: 0b3c8401ed134c9e808f404a9725ca5a4d0f943fe8bccbc151ed3b09d143fbee
                                                                                                              • Instruction ID: 59cf5697d804087d5326357d3bce0e5ecb7d0f49dd2c0502168fdd78c2ed6bae
                                                                                                              • Opcode Fuzzy Hash: 0b3c8401ed134c9e808f404a9725ca5a4d0f943fe8bccbc151ed3b09d143fbee
                                                                                                              • Instruction Fuzzy Hash: 7E51D0329043049FD7A0CF29C484F16BBE5FB88364F198659EA599B794D771ED00CB92
                                                                                                              Function 02D05660 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _ValidateScopeTableHandlers.LIBCMT ref: 02D05770
                                                                                                              • __FindPESection.LIBCMT ref: 02D0578A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FindHandlersScopeSectionTableValidate
                                                                                                              • String ID:
                                                                                                              • API String ID: 876702719-0
                                                                                                              • Opcode ID: fa667eb85a24c60d444a2b0d4febc11bf6de8339a8b952700037f395f4b68c0e
                                                                                                              • Instruction ID: d1b65594948f505767d6c30957a8f7484c2a3277e0042551195581aba671dcf1
                                                                                                              • Opcode Fuzzy Hash: fa667eb85a24c60d444a2b0d4febc11bf6de8339a8b952700037f395f4b68c0e
                                                                                                              • Instruction Fuzzy Hash: 48A19C71E002159BDB25CF58E9C0BADB7A5FB44324F944669EC45AB3A1E731EC02CFA0
                                                                                                              Function 0040670E Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetStringTypeW.KERNEL32(00000001,00408658,00000001,00000000,00000103,00000001,00000000,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 0040674D
                                                                                                              • GetStringTypeA.KERNEL32(00000000,00000001,00408654,00000001,?,?,00000000,00000000,00000001), ref: 00406767
                                                                                                              • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 0040679B
                                                                                                              • MultiByteToWideChar.KERNEL32(00406317,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 004067D3
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406829
                                                                                                              • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040683B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: StringType$ByteCharMultiWide
                                                                                                              • String ID:
                                                                                                              • API String ID: 3852931651-0
                                                                                                              • Opcode ID: 6d8eb81ee64157f72203894b93785b9b85560a11f4962ec6ebb452b13d20bf59
                                                                                                              • Instruction ID: 7abba187aa9a424c0dbe6a0d425d95b5373609879485ba3de4d3a8f21a169ece
                                                                                                              • Opcode Fuzzy Hash: 6d8eb81ee64157f72203894b93785b9b85560a11f4962ec6ebb452b13d20bf59
                                                                                                              • Instruction Fuzzy Hash: 11418D72901209EFCF209F94CD85EAF3B79FB04754F11453AF912F2290D73989608B99
                                                                                                              Function 02CE1C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02CE1CB1
                                                                                                              • CloseHandle.KERNEL32(?), ref: 02CE1CBA
                                                                                                              • InterlockedExchangeAdd.KERNEL32(02D17274,00000000), ref: 02CE1CC6
                                                                                                              • TerminateThread.KERNEL32(?,00000000), ref: 02CE1CD4
                                                                                                              • QueueUserAPC.KERNEL32(02CE1E7C,?,00000000), ref: 02CE1CE1
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02CE1CEC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 1946104331-0
                                                                                                              • Opcode ID: 6bf94d6c04a0975adb8cb764863ef4f9339397695d3755262639ae20fb41e63d
                                                                                                              • Instruction ID: 1b3d5efa2050d55c82e4dd970b9d2e6008135b841a293b09bf90a8e1ff6be524
                                                                                                              • Opcode Fuzzy Hash: 6bf94d6c04a0975adb8cb764863ef4f9339397695d3755262639ae20fb41e63d
                                                                                                              • Instruction Fuzzy Hash: 94F0A431940214BFEB105B96ED4DE97FBBCEB85720B10475DF52AC22A0DBB06D20CB20
                                                                                                              Function 02CE2B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WSASetLastError.WS2_32(00000000), ref: 02CE2BE4
                                                                                                              • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02CE2C07
                                                                                                                • Part of subcall function 02CEA4DF: WSAGetLastError.WS2_32(00000000,?,?,02CE2A51), ref: 02CEA4ED
                                                                                                              • WSASetLastError.WS2_32 ref: 02CE2CD3
                                                                                                              • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02CE2CE7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$Recvselect
                                                                                                              • String ID: 3'
                                                                                                              • API String ID: 886190287-280543908
                                                                                                              • Opcode ID: 64d2b299e116002ac1a9c3687d340db6aaae08eaef435338cbe83d8fd96e2646
                                                                                                              • Instruction ID: 9c234fb9153f9688e2eb00c90d10ef849c2b61466b4ee4bbd5e5a5ae4ba51307
                                                                                                              • Opcode Fuzzy Hash: 64d2b299e116002ac1a9c3687d340db6aaae08eaef435338cbe83d8fd96e2646
                                                                                                              • Instruction Fuzzy Hash: 5A418EB19443019FDB509F74C84476BBBEDAF88715F10491EE99A87281EBB0DA50CBA2
                                                                                                              Function 00403EAC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetVersionExA.KERNEL32 ref: 00403ECB
                                                                                                              • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403F00
                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403F60
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                                              • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                                              • API String ID: 1385375860-4131005785
                                                                                                              • Opcode ID: 24e6f3bd4125583b3bbf56e9767beae157ffe726f3734666c8e193c81b681956
                                                                                                              • Instruction ID: b9728f854654bad712525c43123df79641ae2587965f18a3091eb02ea7af310c
                                                                                                              • Opcode Fuzzy Hash: 24e6f3bd4125583b3bbf56e9767beae157ffe726f3734666c8e193c81b681956
                                                                                                              • Instruction Fuzzy Hash: 42312771D002896DEB319A309C45BDA7F7C9B12309F2400FBE545F52C2D6398F8A8718
                                                                                                              Function 02CF1910 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::exception::exception.LIBCMT ref: 02CF195F
                                                                                                                • Part of subcall function 02CF24B3: std::exception::_Copy_str.LIBCMT ref: 02CF24CC
                                                                                                                • Part of subcall function 02CF0D30: __CxxThrowException@8.LIBCMT ref: 02CF0D8E
                                                                                                              • std::exception::exception.LIBCMT ref: 02CF19BE
                                                                                                              Strings
                                                                                                              • boost unique_lock owns already the mutex, xrefs: 02CF19AD
                                                                                                              • $, xrefs: 02CF19C3
                                                                                                              • boost unique_lock has no mutex, xrefs: 02CF194E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                                                              • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                                                              • API String ID: 2140441600-46888669
                                                                                                              • Opcode ID: dec8de19845c6e7ecc7a371eff2edeb5ad125f5e7b6a30133c1b4d0ba9174a42
                                                                                                              • Instruction ID: 54bb451149dbc1a98f1c8be8c9349c8e788250a58e45d6295ac94dbfba19534f
                                                                                                              • Opcode Fuzzy Hash: dec8de19845c6e7ecc7a371eff2edeb5ad125f5e7b6a30133c1b4d0ba9174a42
                                                                                                              • Instruction Fuzzy Hash: E62144B15083809FD3A0DF24C58474BBBE5BB88B08F404E1EF5A587381C7B99808CF92
                                                                                                              Function 02CF4A5C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd_noexit.LIBCMT ref: 02CF4A60
                                                                                                                • Part of subcall function 02CF5C52: GetLastError.KERNEL32(76E20A60,76E1F550,02CF5E40,02CF3013,76E1F550,?,02CE606D,00000104,76E20A60,76E1F550,ntdll.dll,?,?,?,02CE6508), ref: 02CF5C54
                                                                                                                • Part of subcall function 02CF5C52: __calloc_crt.LIBCMT ref: 02CF5C75
                                                                                                                • Part of subcall function 02CF5C52: __initptd.LIBCMT ref: 02CF5C97
                                                                                                                • Part of subcall function 02CF5C52: GetCurrentThreadId.KERNEL32 ref: 02CF5C9E
                                                                                                                • Part of subcall function 02CF5C52: SetLastError.KERNEL32(00000000,02CE606D,00000104,76E20A60,76E1F550,ntdll.dll,?,?,?,02CE6508), ref: 02CF5CB6
                                                                                                              • __calloc_crt.LIBCMT ref: 02CF4A83
                                                                                                              • __get_sys_err_msg.LIBCMT ref: 02CF4AA1
                                                                                                              • __invoke_watson.LIBCMT ref: 02CF4ABE
                                                                                                              Strings
                                                                                                              • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02CF4A6B, 02CF4A91
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                                                                              • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                                              • API String ID: 109275364-798102604
                                                                                                              • Opcode ID: 687537b8933ed9373c2206df2fd623fb52718942ed85daf71ae9c66d36ce63cc
                                                                                                              • Instruction ID: fc9742ed6d601c01f53cdc817469c5189cb49632ee466132fa514f724c03bba4
                                                                                                              • Opcode Fuzzy Hash: 687537b8933ed9373c2206df2fd623fb52718942ed85daf71ae9c66d36ce63cc
                                                                                                              • Instruction Fuzzy Hash: F4F0E932580B156BEBF9A5565C80A6B72DEDF806A0B01052AFB4AD7300F731DD007698
                                                                                                              Function 02CE2341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02CE2350
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02CE2360
                                                                                                              • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02CE2370
                                                                                                              • GetLastError.KERNEL32 ref: 02CE237A
                                                                                                                • Part of subcall function 02CE1712: __EH_prolog.LIBCMT ref: 02CE1717
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                                                              • String ID: pqcs
                                                                                                              • API String ID: 1619523792-2559862021
                                                                                                              • Opcode ID: 4bc56c4483af215af01aa915d86dc9310c0d869c12fb030347a4b4ed1bc0e26f
                                                                                                              • Instruction ID: 40e848148046650082c8affaf5e2c4d0e50dc52d6b7de67c03f5271ec81af070
                                                                                                              • Opcode Fuzzy Hash: 4bc56c4483af215af01aa915d86dc9310c0d869c12fb030347a4b4ed1bc0e26f
                                                                                                              • Instruction Fuzzy Hash: 75F036719403046BEB10AF74D849F6B7BBCEB40601B104655E90AD7654E7B0AD149B51
                                                                                                              Function 02CE4030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE4035
                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02CE4042
                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02CE4049
                                                                                                              • std::exception::exception.LIBCMT ref: 02CE4063
                                                                                                                • Part of subcall function 02CEA6A0: __EH_prolog.LIBCMT ref: 02CEA6A5
                                                                                                                • Part of subcall function 02CEA6A0: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02CEA6B4
                                                                                                                • Part of subcall function 02CEA6A0: __CxxThrowException@8.LIBCMT ref: 02CEA6D3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                                                              • String ID: bad allocation
                                                                                                              • API String ID: 3112922283-2104205924
                                                                                                              • Opcode ID: 005e3c82460865f6faffa3097a9346138c4cf3c3c85742f003c27e1d89216584
                                                                                                              • Instruction ID: 7c7bea2165572fadde074997197c8adefbccd10ea3d70d01f1e0def51a6e3e93
                                                                                                              • Opcode Fuzzy Hash: 005e3c82460865f6faffa3097a9346138c4cf3c3c85742f003c27e1d89216584
                                                                                                              • Instruction Fuzzy Hash: C5F08271D40209DBDF00EFE0D848BAFBB78FB04700F404559E915A6390D7745A14CF91
                                                                                                              Function 00403CD4 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetStartupInfoA.KERNEL32(?), ref: 00403D2D
                                                                                                              • GetFileType.KERNEL32(00000800), ref: 00403DD3
                                                                                                              • GetStdHandle.KERNEL32(-000000F6), ref: 00403E2C
                                                                                                              • GetFileType.KERNEL32(00000000), ref: 00403E3A
                                                                                                              • SetHandleCount.KERNEL32 ref: 00403E71
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileHandleType$CountInfoStartup
                                                                                                              • String ID:
                                                                                                              • API String ID: 1710529072-0
                                                                                                              • Opcode ID: dbaca84f47ceea487b5a59e7f7eb21175bc7ba2e308e601fb33fec27d5f53662
                                                                                                              • Instruction ID: 0b7b95883a4e689196e32d1b42849a04f4efe08137134e81777c7f486c9ce5ca
                                                                                                              • Opcode Fuzzy Hash: dbaca84f47ceea487b5a59e7f7eb21175bc7ba2e308e601fb33fec27d5f53662
                                                                                                              • Instruction Fuzzy Hash: 025125716046458BD7218F38CE847667FA8AF11722F15437AE4A2FB3E0C7389A45CB8D
                                                                                                              Function 02CF1C60 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 02CF1A30: CloseHandle.KERNEL32(00000000,8C8CC0CD), ref: 02CF1A81
                                                                                                                • Part of subcall function 02CF1A30: WaitForSingleObject.KERNEL32(?,000000FF,8C8CC0CD,?,?,?,?,8C8CC0CD,02CF1A03,8C8CC0CD), ref: 02CF1A98
                                                                                                              • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02CF1CFE
                                                                                                              • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02CF1D1E
                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02CF1D57
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02CF1DAB
                                                                                                              • SetEvent.KERNEL32(?), ref: 02CF1DB2
                                                                                                                • Part of subcall function 02CE418C: CloseHandle.KERNEL32(00000000,?,02CF1CE5), ref: 02CE41B0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 4166353394-0
                                                                                                              • Opcode ID: 9213fafd985fa96df952171d1b715072ac8f39ed37adb23c01d70476a63367f2
                                                                                                              • Instruction ID: 3a36cbaa874f41a1d2c1c13b44037ba3129bb62e0cbd8c8bbabedcab84e049bc
                                                                                                              • Opcode Fuzzy Hash: 9213fafd985fa96df952171d1b715072ac8f39ed37adb23c01d70476a63367f2
                                                                                                              • Instruction Fuzzy Hash: DD41E132600301CBEBA6DF19CC80B56B7B4EF85724F1806A8ED199B395D775D9118B91
                                                                                                              Function 02CEE0CE Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CEE0D3
                                                                                                                • Part of subcall function 02CE1A01: TlsGetValue.KERNEL32 ref: 02CE1A0A
                                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CEE152
                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02CEE16E
                                                                                                              • InterlockedIncrement.KERNEL32(02D15190), ref: 02CEE193
                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02CEE1A8
                                                                                                                • Part of subcall function 02CE27F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02CE284E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                                                              • String ID:
                                                                                                              • API String ID: 1578506061-0
                                                                                                              • Opcode ID: cafa044602e7117e1ad83aff83a350d9c4387968d44cd3013c13df9040e6f412
                                                                                                              • Instruction ID: a0c02f862a9d661c11e5bb17659f21da591e509d37fccaf5f0261eac4bb49180
                                                                                                              • Opcode Fuzzy Hash: cafa044602e7117e1ad83aff83a350d9c4387968d44cd3013c13df9040e6f412
                                                                                                              • Instruction Fuzzy Hash: A73137B1D01245AFDB10DFA8D944AAEBBF8FF48310F14855AD84AD7641E774AA14CFA0
                                                                                                              Function 02CE29EE Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WSASetLastError.WS2_32(00000000), ref: 02CE2A3B
                                                                                                              • closesocket.WS2_32 ref: 02CE2A42
                                                                                                              • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02CE2A89
                                                                                                              • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02CE2A97
                                                                                                              • closesocket.WS2_32 ref: 02CE2A9E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastclosesocket$ioctlsocket
                                                                                                              • String ID:
                                                                                                              • API String ID: 1561005644-0
                                                                                                              • Opcode ID: 5e9a37d03ca731feaf1e26df7f686026b0d0441d0250fd37b49810bcb6c60e2a
                                                                                                              • Instruction ID: e867206694b3c6a4245c49faed2e19e47d5cc13fa18df355dd0fb44f847483d3
                                                                                                              • Opcode Fuzzy Hash: 5e9a37d03ca731feaf1e26df7f686026b0d0441d0250fd37b49810bcb6c60e2a
                                                                                                              • Instruction Fuzzy Hash: 8A210871980305AFEF30ABB8C844B6AB7EDAF88315F104569ED06C3241EB70DE418B62
                                                                                                              Function 02CE1BA7 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE1BAC
                                                                                                              • RtlEnterCriticalSection.NTDLL ref: 02CE1BBC
                                                                                                              • RtlLeaveCriticalSection.NTDLL ref: 02CE1BEA
                                                                                                              • RtlEnterCriticalSection.NTDLL ref: 02CE1C13
                                                                                                              • RtlLeaveCriticalSection.NTDLL ref: 02CE1C56
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                                              • String ID:
                                                                                                              • API String ID: 1633115879-0
                                                                                                              • Opcode ID: fecda6bd349ab553227985cd7d30919bc08c3ffae3fd04ceb0d83df13d10f7fb
                                                                                                              • Instruction ID: a0b5300f5b5e6d1feb3f9766316270f5d759e9a857537572044f247a4d6f5329
                                                                                                              • Opcode Fuzzy Hash: fecda6bd349ab553227985cd7d30919bc08c3ffae3fd04ceb0d83df13d10f7fb
                                                                                                              • Instruction Fuzzy Hash: DA219CB5900644AFDF14CF68D484B9ABBB5FF88714F248589E84A9B301D7B0EE11CBA0
                                                                                                              Function 02D00384 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _malloc.LIBCMT ref: 02D00390
                                                                                                                • Part of subcall function 02CF2F8C: __FF_MSGBANNER.LIBCMT ref: 02CF2FA3
                                                                                                                • Part of subcall function 02CF2F8C: __NMSG_WRITE.LIBCMT ref: 02CF2FAA
                                                                                                                • Part of subcall function 02CF2F8C: RtlAllocateHeap.NTDLL(00850000,00000000,00000001), ref: 02CF2FCF
                                                                                                              • _free.LIBCMT ref: 02D003A3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap_free_malloc
                                                                                                              • String ID:
                                                                                                              • API String ID: 1020059152-0
                                                                                                              • Opcode ID: ac4662f3a57158d1079d10375a45c1e42842a0d31a3b5b43a8f9c50b1739a29d
                                                                                                              • Instruction ID: 095d43e0f28d24390d9c34c9cd4e37a875463c33a91e85d64a604f8159e604bb
                                                                                                              • Opcode Fuzzy Hash: ac4662f3a57158d1079d10375a45c1e42842a0d31a3b5b43a8f9c50b1739a29d
                                                                                                              • Instruction Fuzzy Hash: 7C11CA72948611BBDBA22F70ACC475A3B999F043A2B104525EBC99A3E0DB34CC51DA95
                                                                                                              Function 02CE21D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE21DA
                                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CE21ED
                                                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02CE2224
                                                                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02CE2237
                                                                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02CE2261
                                                                                                                • Part of subcall function 02CE2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02CE2350
                                                                                                                • Part of subcall function 02CE2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02CE2360
                                                                                                                • Part of subcall function 02CE2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02CE2370
                                                                                                                • Part of subcall function 02CE2341: GetLastError.KERNEL32 ref: 02CE237A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 1856819132-0
                                                                                                              • Opcode ID: 26aee79d4d28a4a945a5d4c997fc3f3ccd309175dbfcf3d245e3993d43753c25
                                                                                                              • Instruction ID: 38c9f5cd531fe1d38c805d846293e61d42b98464b0507aeed38e20af60329817
                                                                                                              • Opcode Fuzzy Hash: 26aee79d4d28a4a945a5d4c997fc3f3ccd309175dbfcf3d245e3993d43753c25
                                                                                                              • Instruction Fuzzy Hash: 8111CD71D44218EFDF009FA4D844BAEFBBAFB44320F10861AEC1692260D7714A52DF91
                                                                                                              Function 02CE2298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE229D
                                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CE22B0
                                                                                                              • TlsGetValue.KERNEL32 ref: 02CE22E7
                                                                                                              • TlsSetValue.KERNEL32(?), ref: 02CE2300
                                                                                                              • TlsSetValue.KERNEL32(?,?,?), ref: 02CE231C
                                                                                                                • Part of subcall function 02CE2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02CE2350
                                                                                                                • Part of subcall function 02CE2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02CE2360
                                                                                                                • Part of subcall function 02CE2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02CE2370
                                                                                                                • Part of subcall function 02CE2341: GetLastError.KERNEL32 ref: 02CE237A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 1856819132-0
                                                                                                              • Opcode ID: d0cd1d28f89510bcab60de4d8449fa7d25d8e294a46926d55e035e9d07becb30
                                                                                                              • Instruction ID: 5a8701eb9a72c5f6690c1b2d9dd053aad291c46c870d31d55cc9c672d0ef6b42
                                                                                                              • Opcode Fuzzy Hash: d0cd1d28f89510bcab60de4d8449fa7d25d8e294a46926d55e035e9d07becb30
                                                                                                              • Instruction Fuzzy Hash: 58118E72D40218AFDF059FA5D844AAEFBBAFF44310F10851AE805A3360D7715A62DF91
                                                                                                              Function 02CEBCE8 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 02CEB13B: __EH_prolog.LIBCMT ref: 02CEB140
                                                                                                              • __CxxThrowException@8.LIBCMT ref: 02CEBD05
                                                                                                                • Part of subcall function 02CF453A: RaiseException.KERNEL32(?,?,02CEFB35,?,?,?,?,?,?,?,02CEFB35,?,02D10F98,?), ref: 02CF458F
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02D11DB4,?,00000001), ref: 02CEBD1B
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02CEBD2E
                                                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02D11DB4,?,00000001), ref: 02CEBD3E
                                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CEBD4C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 2725315915-0
                                                                                                              • Opcode ID: c3ab6aa26d45f14d4ba5686c398c9d733ca3751426f44ec8b5fe9d1fd0843a66
                                                                                                              • Instruction ID: 431b80ccaaa7b03d7aa04adc37bc1a56a28e189b5cb6aea2b375074dc741d9f1
                                                                                                              • Opcode Fuzzy Hash: c3ab6aa26d45f14d4ba5686c398c9d733ca3751426f44ec8b5fe9d1fd0843a66
                                                                                                              • Instruction Fuzzy Hash: 6F016276A402056FEF109AA4DCC9F9AB7BDAB04329F104514F616DA294D760ED448B10
                                                                                                              Function 02CE2420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02CE2432
                                                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02CE2445
                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02CE2454
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02CE2469
                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02CE2470
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 747265849-0
                                                                                                              • Opcode ID: 5218edb92393c1cfab5085188a20ee45a696a2ec11a9340c9f18bb42f053e6cd
                                                                                                              • Instruction ID: e6a44fd567837bdaeb6135ec3298c800db103e78b864d025ca4adad83d5e88bb
                                                                                                              • Opcode Fuzzy Hash: 5218edb92393c1cfab5085188a20ee45a696a2ec11a9340c9f18bb42f053e6cd
                                                                                                              • Instruction Fuzzy Hash: B5F03072640205BFEB00AAA0ED89FD6B73CFF44711F904911F742DA594D7A1BA20CBA1
                                                                                                              Function 02CE1EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 02CE1ED2
                                                                                                              • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02CE1EEA
                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02CE1EF9
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02CE1F0E
                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02CE1F15
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 830998967-0
                                                                                                              • Opcode ID: f8726833389ee37b119058c8f3d4a42ac0b313e55a91ca532ae3f6399bfb5a2c
                                                                                                              • Instruction ID: 7dc775090facf8bf07d4760406c550ca0b8e2ad197b5a5b17114d22671f0a341
                                                                                                              • Opcode Fuzzy Hash: f8726833389ee37b119058c8f3d4a42ac0b313e55a91ca532ae3f6399bfb5a2c
                                                                                                              • Instruction Fuzzy Hash: 9DF06772640205BBEB00AFA0EC88FC6BB3CFF04301F100512F2028A554C7B1BA248BE0
                                                                                                              Function 02CE8725 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _memmove
                                                                                                              • String ID: invalid string position$string too long
                                                                                                              • API String ID: 4104443479-4289949731
                                                                                                              • Opcode ID: 193273b058d26bd277bfea70b638bc5e0c71c583bd0d598c8e96d2b7eeec9134
                                                                                                              • Instruction ID: 5c561c46a2108c529d5108339d40244cc9d590b83283413bce95668845d7d054
                                                                                                              • Opcode Fuzzy Hash: 193273b058d26bd277bfea70b638bc5e0c71c583bd0d598c8e96d2b7eeec9134
                                                                                                              • Instruction Fuzzy Hash: 6F41A2313003049BDF349E69DC95A5ABBAAEF81654B000A2DF967CB3A1C770E904CBA0
                                                                                                              Function 02CE30AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WSASetLastError.WS2_32(00000000), ref: 02CE30C3
                                                                                                              • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02CE3102
                                                                                                              • _memcmp.LIBCMT ref: 02CE3141
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressErrorLastString_memcmp
                                                                                                              • String ID: 255.255.255.255
                                                                                                              • API String ID: 1618111833-2422070025
                                                                                                              • Opcode ID: f2b146dd8d11e9fb3bc5757432d67a5333202dc167a76382b902573b08ff3654
                                                                                                              • Instruction ID: 82582b6be5468c92f96fbf3a223594474bcc9380968f3e5d9448d8bb64ff3998
                                                                                                              • Opcode Fuzzy Hash: f2b146dd8d11e9fb3bc5757432d67a5333202dc167a76382b902573b08ff3654
                                                                                                              • Instruction Fuzzy Hash: 2031B3729003849FDF209F64CC80B6EB7A6AF85325F1045ADED569B391D772AA41CB90
                                                                                                              Function 02CE1F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE1F5B
                                                                                                              • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02CE1FC5
                                                                                                              • GetLastError.KERNEL32(?,00000000), ref: 02CE1FD2
                                                                                                                • Part of subcall function 02CE1712: __EH_prolog.LIBCMT ref: 02CE1717
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                                                              • String ID: iocp
                                                                                                              • API String ID: 998023749-976528080
                                                                                                              • Opcode ID: 6b7f86eb66a6e240e8f400c6a11603f78b2ecf5de2ed7b60b0158972501b4d3f
                                                                                                              • Instruction ID: 985bb66e77c0b9b3289461917bebe024d00947d8f35fc3e09e6c5227eea6b3c0
                                                                                                              • Opcode Fuzzy Hash: 6b7f86eb66a6e240e8f400c6a11603f78b2ecf5de2ed7b60b0158972501b4d3f
                                                                                                              • Instruction Fuzzy Hash: 7021A6B19017449BC7209F6AD54455AFBF8FF94710B108A5FD49687BA0D7B0AA04CF91
                                                                                                              Function 02CF3B2C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _malloc.LIBCMT ref: 02CF3B44
                                                                                                                • Part of subcall function 02CF2F8C: __FF_MSGBANNER.LIBCMT ref: 02CF2FA3
                                                                                                                • Part of subcall function 02CF2F8C: __NMSG_WRITE.LIBCMT ref: 02CF2FAA
                                                                                                                • Part of subcall function 02CF2F8C: RtlAllocateHeap.NTDLL(00850000,00000000,00000001), ref: 02CF2FCF
                                                                                                              • std::exception::exception.LIBCMT ref: 02CF3B62
                                                                                                              • __CxxThrowException@8.LIBCMT ref: 02CF3B77
                                                                                                                • Part of subcall function 02CF453A: RaiseException.KERNEL32(?,?,02CEFB35,?,?,?,?,?,?,?,02CEFB35,?,02D10F98,?), ref: 02CF458F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                                              • String ID: bad allocation
                                                                                                              • API String ID: 3074076210-2104205924
                                                                                                              • Opcode ID: 5bfa210cac0d9655eef72f34157c1126f3aa9c3cf58225c64daab3eda6649a0d
                                                                                                              • Instruction ID: e1f61a995b4ffc1c75c3bf72c9c1966a1c4d3a2440592f8c88468132cff8d32b
                                                                                                              • Opcode Fuzzy Hash: 5bfa210cac0d9655eef72f34157c1126f3aa9c3cf58225c64daab3eda6649a0d
                                                                                                              • Instruction Fuzzy Hash: 6CE0303090024EB6DFD4FE94DC51AEFBB6AAB00204F504695AE14A6690DB719E44EAA1
                                                                                                              Function 02CE37B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE37B6
                                                                                                              • __localtime64.LIBCMT ref: 02CE37C1
                                                                                                                • Part of subcall function 02CF25E0: __gmtime64_s.LIBCMT ref: 02CF25F3
                                                                                                              • std::exception::exception.LIBCMT ref: 02CE37D9
                                                                                                                • Part of subcall function 02CF24B3: std::exception::_Copy_str.LIBCMT ref: 02CF24CC
                                                                                                                • Part of subcall function 02CEA4FE: __EH_prolog.LIBCMT ref: 02CEA503
                                                                                                                • Part of subcall function 02CEA4FE: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02CEA512
                                                                                                                • Part of subcall function 02CEA4FE: __CxxThrowException@8.LIBCMT ref: 02CEA531
                                                                                                              Strings
                                                                                                              • could not convert calendar time to UTC time, xrefs: 02CE37CE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                                                              • String ID: could not convert calendar time to UTC time
                                                                                                              • API String ID: 1963798777-2088861013
                                                                                                              • Opcode ID: 11b2d78848686431d6b1d6157ca8ab120062ec6bdb5429727cb9f72de5d7f7b9
                                                                                                              • Instruction ID: 30244710d763c38e6e5193ddb3ccc12cd9b52c23df67d5a5667d6e1eb70c9124
                                                                                                              • Opcode Fuzzy Hash: 11b2d78848686431d6b1d6157ca8ab120062ec6bdb5429727cb9f72de5d7f7b9
                                                                                                              • Instruction Fuzzy Hash: 76E06DB1D002099BCF40EFA4E945BFEBB79FF04300F40459ADC15A2790EB785A09DE95
                                                                                                              Function 0040315A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(KERNEL32,00402E6A), ref: 0040315F
                                                                                                              • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0040316F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                              • API String ID: 1646373207-3105848591
                                                                                                              • Opcode ID: ee4fb49231880130fc7adb82ded6e302562b2849836945389797dfa68bab57f4
                                                                                                              • Instruction ID: 396ae008ee37b43aaac66eedf252cb0d6854bca9fd0baad0eaa83bc1c4717f20
                                                                                                              • Opcode Fuzzy Hash: ee4fb49231880130fc7adb82ded6e302562b2849836945389797dfa68bab57f4
                                                                                                              • Instruction Fuzzy Hash: 14C01270380B00A6EA201FB20F0AB2628AC1B48B03F1800BEA289F81C0CE7CC600843D
                                                                                                              Function 00404C1C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,0040403A), ref: 00404C3D
                                                                                                              • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,0040403A), ref: 00404C61
                                                                                                              • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,0040403A), ref: 00404C7B
                                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,0040403A), ref: 00404D3C
                                                                                                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,0040403A), ref: 00404D53
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual$FreeHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 714016831-0
                                                                                                              • Opcode ID: 5cad5202a8731f25dba6dd4aaf0d633060e84280589fe69eb585605416c69a03
                                                                                                              • Instruction ID: 583ec5426b209604bff2a02b3d2478297b9ba55a468d27544d52312baf66a8bd
                                                                                                              • Opcode Fuzzy Hash: 5cad5202a8731f25dba6dd4aaf0d633060e84280589fe69eb585605416c69a03
                                                                                                              • Instruction Fuzzy Hash: BC31E2B15417019BE3348F24EE44B22B7A0EBC8754F11863AE665B73E1EB78A844CB5C
                                                                                                              Function 0040443E Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualFree.KERNEL32(?,00008000,00004000,76E1DFF0,?,00000000), ref: 00404696
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 004046F1
                                                                                                              • HeapFree.KERNEL32(00000000,?), ref: 00404703
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Free$Virtual$Heap
                                                                                                              • String ID: 4/@
                                                                                                              • API String ID: 2016334554-3101945251
                                                                                                              • Opcode ID: 3ffb46cc47d32c3f8fdb2cc0b40f733643667e7721e671ee35378e11fae462b1
                                                                                                              • Instruction ID: 876bcf6037267374920b0e9be09a40bf20dde446c7cba65ee9efa19dd1b870bf
                                                                                                              • Opcode Fuzzy Hash: 3ffb46cc47d32c3f8fdb2cc0b40f733643667e7721e671ee35378e11fae462b1
                                                                                                              • Instruction Fuzzy Hash: 4AB18EB4A01205DFDB14CF44CAD0A69BBA1FB88314F25C1AEDA596F3A2D735ED41CB84
                                                                                                              Function 02CFC3C9 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AdjustPointer_memmove
                                                                                                              • String ID:
                                                                                                              • API String ID: 1721217611-0
                                                                                                              • Opcode ID: 817f5cf75987d9b7df64a3024f3104fe892c75b98bae83ffed5f5c7434ea4518
                                                                                                              • Instruction ID: ad2e9c836736dd00aa89dadbd3661923bd875b9589b369a51e397f1cfbec521e
                                                                                                              • Opcode Fuzzy Hash: 817f5cf75987d9b7df64a3024f3104fe892c75b98bae83ffed5f5c7434ea4518
                                                                                                              • Instruction Fuzzy Hash: DE41A67570430B5EEBE4DE25E890B7A37F59F41B64F24001FEA498A5E1DB71D780EA20
                                                                                                              Function 02CF1300 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02CE4149), ref: 02CF139F
                                                                                                                • Part of subcall function 02CE3FDC: __EH_prolog.LIBCMT ref: 02CE3FE1
                                                                                                                • Part of subcall function 02CE3FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 02CE3FF3
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CF1394
                                                                                                              • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02CE4149), ref: 02CF13E0
                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02CE4149), ref: 02CF14B1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle$Event$CreateH_prolog
                                                                                                              • String ID:
                                                                                                              • API String ID: 2825413587-0
                                                                                                              • Opcode ID: e8414de4b8c84cd10c45b870d708ba34a9016fe8d3123994136b22c9264e8792
                                                                                                              • Instruction ID: 6b5a49e778f16f9579fc2bf62d51cdf00717e6f9ca832139024c81f2055ad9b1
                                                                                                              • Opcode Fuzzy Hash: e8414de4b8c84cd10c45b870d708ba34a9016fe8d3123994136b22c9264e8792
                                                                                                              • Instruction Fuzzy Hash: B351C2B1A00345DBDF90CF28C88479ABBE5AF88328F194618FA6D97390D775E905CF91
                                                                                                              Function 02CF378D Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                              • String ID:
                                                                                                              • API String ID: 2782032738-0
                                                                                                              • Opcode ID: 41e168db359cd1c9f07d59c3f71d26477c26a2a79f102e3ff21314e00bb1a24e
                                                                                                              • Instruction ID: 83eb1f49869cc56910fa14c26ef1be9f91081ff88aad02ee254f8f4086aac944
                                                                                                              • Opcode Fuzzy Hash: 41e168db359cd1c9f07d59c3f71d26477c26a2a79f102e3ff21314e00bb1a24e
                                                                                                              • Instruction Fuzzy Hash: 4041B671B006C6BBDFD88E69C8905AE77B6EF80364B1481BFE605C7240E774DA418B50
                                                                                                              Function 02CFFEF5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02CFFF2B
                                                                                                              • __isleadbyte_l.LIBCMT ref: 02CFFF59
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 02CFFF87
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 02CFFFBD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                              • String ID:
                                                                                                              • API String ID: 3058430110-0
                                                                                                              • Opcode ID: fa4b3440344947e4110f1a7a8fec722aad74d443af4627941c03accf65ae78b4
                                                                                                              • Instruction ID: 4d94afc3868c2d77c857675dbafe92c0d18fe69c7c5478306b5c7190daab8130
                                                                                                              • Opcode Fuzzy Hash: fa4b3440344947e4110f1a7a8fec722aad74d443af4627941c03accf65ae78b4
                                                                                                              • Instruction Fuzzy Hash: 2C31E431600246AFDBA18E35CC44BAA7BE5FF82364F16402DFA64C75D0D732E951DB50
                                                                                                              Function 02CE3D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • htons.WS2_32(?), ref: 02CE3DA2
                                                                                                                • Part of subcall function 02CE3BD3: __EH_prolog.LIBCMT ref: 02CE3BD8
                                                                                                                • Part of subcall function 02CE3BD3: std::bad_exception::bad_exception.LIBCMT ref: 02CE3BED
                                                                                                              • htonl.WS2_32(00000000), ref: 02CE3DB9
                                                                                                              • htonl.WS2_32(00000000), ref: 02CE3DC0
                                                                                                              • htons.WS2_32(?), ref: 02CE3DD4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                                                              • String ID:
                                                                                                              • API String ID: 3882411702-0
                                                                                                              • Opcode ID: dad913dfacea17f7105f12dc55b3483079f837e08e2cfb4cac1b7c28b6a70677
                                                                                                              • Instruction ID: eb15aea4570dc445aa879f893a6cb327751b634cacc0b9cb17eb1cccd195e103
                                                                                                              • Opcode Fuzzy Hash: dad913dfacea17f7105f12dc55b3483079f837e08e2cfb4cac1b7c28b6a70677
                                                                                                              • Instruction Fuzzy Hash: 2611CE36A00249EFDF01AF64D885AAAB7B9EF08310F008496FD05DF255D671EE14CBA1
                                                                                                              Function 02CE239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 02CE23D0
                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02CE23DE
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02CE2401
                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02CE2408
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 4018804020-0
                                                                                                              • Opcode ID: a4d37eba3538b69d3d270244b171f3bc66fba980b90c2cd7ca3f34d2c2d9e9e5
                                                                                                              • Instruction ID: d044da8d9a08ec233c48b2c2a0dc9e2af91d3da169b4b5972d7e063efb10fca3
                                                                                                              • Opcode Fuzzy Hash: a4d37eba3538b69d3d270244b171f3bc66fba980b90c2cd7ca3f34d2c2d9e9e5
                                                                                                              • Instruction Fuzzy Hash: 64117C71600205ABEB109F61D984FA6BBBDFF44705F10446DE9029B250D7B1FD51CBA1
                                                                                                              Function 02CE2EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WSASetLastError.WS2_32(00000000), ref: 02CE2EEE
                                                                                                              • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02CE2EFD
                                                                                                              • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02CE2F0C
                                                                                                              • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02CE2F36
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$Socketsetsockopt
                                                                                                              • String ID:
                                                                                                              • API String ID: 2093263913-0
                                                                                                              • Opcode ID: b6942a116dc8d70e56f1b50a38d1bf0eb1ff3a72e5e94db239cd17d0d1c52f4b
                                                                                                              • Instruction ID: 44925a7fcad3ce34088a8d2da2db4a4a3bdbacaac145cdcd5540a6bc8889b4bd
                                                                                                              • Opcode Fuzzy Hash: b6942a116dc8d70e56f1b50a38d1bf0eb1ff3a72e5e94db239cd17d0d1c52f4b
                                                                                                              • Instruction Fuzzy Hash: 58018871940314BBDB209F75DC88F5ABBADEB89761F00C565FA09CB295D7718D008BB1
                                                                                                              Function 02CFC81B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                              • String ID:
                                                                                                              • API String ID: 3016257755-0
                                                                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                              • Instruction ID: c93e64510cf8f27b94f62dff8517478a8d8ea43015fcda37461bfd0fee3f2186
                                                                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                              • Instruction Fuzzy Hash: B8014B3250014EBBCF96AE84DC418EE3F36BF58754B498416FB1859031C337C6B1AB81
                                                                                                              Function 02CE247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02CE24A9
                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02CE24B8
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02CE24CD
                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02CE24D4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 4018804020-0
                                                                                                              • Opcode ID: 78694819f00f64de20b38bc4dbbe569e57cf670fba40b244256449406a013f08
                                                                                                              • Instruction ID: 7d2531411565b23c13b408f19152f7cd46a91e02b73fd2074570765080b62fbb
                                                                                                              • Opcode Fuzzy Hash: 78694819f00f64de20b38bc4dbbe569e57cf670fba40b244256449406a013f08
                                                                                                              • Instruction Fuzzy Hash: FEF03C72540205AFDB00AF69EC84F9ABBBCFF48711F104519FA05CB255D7B1E9608FA1
                                                                                                              Function 02CE2004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE2009
                                                                                                              • RtlDeleteCriticalSection.NTDLL(?), ref: 02CE2028
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CE2037
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CE204E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                                                              • String ID:
                                                                                                              • API String ID: 2456309408-0
                                                                                                              • Opcode ID: 78d827ba5d6e8df98cf6deca8e61d4793848a8a2b643f6c1a1df2ea69a912ab6
                                                                                                              • Instruction ID: 1b76ac2e5576bf0ed82ad2f3f71e095e7f17e21c47254890c6bc50de09b788b5
                                                                                                              • Opcode Fuzzy Hash: 78d827ba5d6e8df98cf6deca8e61d4793848a8a2b643f6c1a1df2ea69a912ab6
                                                                                                              • Instruction Fuzzy Hash: 8701A2718006449FC724AF54E848B9AF7B5FF04704F104A5DE847826E0C7706A08CF91
                                                                                                              Function 02CE1E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Event$H_prologSleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 1765829285-0
                                                                                                              • Opcode ID: 7602b02abe0c5fdb924b3abb05ec4b9c34b25992357711f803d1a50f473580af
                                                                                                              • Instruction ID: afed609dde21636d4237424d991dab3a8ab2e887b71c083497f6eafc83db1db2
                                                                                                              • Opcode Fuzzy Hash: 7602b02abe0c5fdb924b3abb05ec4b9c34b25992357711f803d1a50f473580af
                                                                                                              • Instruction Fuzzy Hash: C4F03035A40110DFDB009F94E8C8B88BBB4FF09311F5082A9F9199B3A4C775AC54CF61
                                                                                                              Function 02CE9F2B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog_memmove
                                                                                                              • String ID: &'
                                                                                                              • API String ID: 3529519853-655172784
                                                                                                              • Opcode ID: d394a527def2e7f096ef4ec9746abe5311662e65c9343ac81f2e35c9882a9386
                                                                                                              • Instruction ID: ea0115fb2c5517097ddd0f92f6dfd62ac4b4967721ffd43e4b1f0789842f0a15
                                                                                                              • Opcode Fuzzy Hash: d394a527def2e7f096ef4ec9746abe5311662e65c9343ac81f2e35c9882a9386
                                                                                                              • Instruction Fuzzy Hash: AB618E71D00218DFDF20EFA4C940AEEFBB6BF48310F14816AD50AAB290D7719A05DFA1
                                                                                                              Function 0040602F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCPInfo.KERNEL32(?,00000000), ref: 00406043
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Info
                                                                                                              • String ID: $
                                                                                                              • API String ID: 1807457897-3032137957
                                                                                                              • Opcode ID: 2bcc76b937e26bb30bc14eae63f2c8421862a1fe3dbd7d24f008297243196a7e
                                                                                                              • Instruction ID: a42b242f0737112a64efb8245030e7df3adc9bcb2e8c8469847d94988edb9e3f
                                                                                                              • Opcode Fuzzy Hash: 2bcc76b937e26bb30bc14eae63f2c8421862a1fe3dbd7d24f008297243196a7e
                                                                                                              • Instruction Fuzzy Hash: 7B413731004158AEEB119754DD89BFB3FE9DB06700F1501F6D58BFB1D3C23949648BAA
                                                                                                              Function 02CE2DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 02CE2D39: WSASetLastError.WS2_32(00000000), ref: 02CE2D47
                                                                                                                • Part of subcall function 02CE2D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02CE2D5C
                                                                                                              • WSASetLastError.WS2_32(00000000), ref: 02CE2E6D
                                                                                                              • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02CE2E83
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$Sendselect
                                                                                                              • String ID: 3'
                                                                                                              • API String ID: 2958345159-280543908
                                                                                                              • Opcode ID: 7a38ad168d72e14de28f256c41c6b09efc90ee14bb7a804716e8bddecd0ec19a
                                                                                                              • Instruction ID: bdd1398a1361d58268685f3ab45252e559a6535c48e98ebf33017ac9d2639025
                                                                                                              • Opcode Fuzzy Hash: 7a38ad168d72e14de28f256c41c6b09efc90ee14bb7a804716e8bddecd0ec19a
                                                                                                              • Instruction Fuzzy Hash: 0131C0B1E002199FDF10EF64C844BEE7BAEAF48315F00455ADE0697281E7B09A91DFA1
                                                                                                              Function 02CE963F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02CE83A9,?,?,00000000), ref: 02CE96A6
                                                                                                              • getsockname.WS2_32(?,?,?), ref: 02CE96BC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastgetsockname
                                                                                                              • String ID: &'
                                                                                                              • API String ID: 566540725-655172784
                                                                                                              • Opcode ID: a86a1641ad9fe337d1b33b82aff8efb07d023c014ecc1d48c8447bb0494a2181
                                                                                                              • Instruction ID: bbe2912a29137506f7d0b495707940fa4d68500eae95cd84fb087f533fc3555d
                                                                                                              • Opcode Fuzzy Hash: a86a1641ad9fe337d1b33b82aff8efb07d023c014ecc1d48c8447bb0494a2181
                                                                                                              • Instruction Fuzzy Hash: D12181B2A40248ABDB50DF68D844ACEB7F5FF4C314F10816AE919EB281D730A9558BA0
                                                                                                              Function 02CECC85 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CECC8A
                                                                                                                • Part of subcall function 02CED266: std::exception::exception.LIBCMT ref: 02CED295
                                                                                                                • Part of subcall function 02CEDA1C: __EH_prolog.LIBCMT ref: 02CEDA21
                                                                                                                • Part of subcall function 02CF3B2C: _malloc.LIBCMT ref: 02CF3B44
                                                                                                                • Part of subcall function 02CED2C5: __EH_prolog.LIBCMT ref: 02CED2CA
                                                                                                              Strings
                                                                                                              • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02CECCC0
                                                                                                              • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02CECCC7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog$_mallocstd::exception::exception
                                                                                                              • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                                                              • API String ID: 1953324306-1943798000
                                                                                                              • Opcode ID: ccb8355692fd12cc5d7ec1d2052afba0f0a978eb4801aa3ca5af5ddae88f4458
                                                                                                              • Instruction ID: ecc17240072561d95bdcc7cc7d17cd3e6f38e2062d227b3899a31e0b8a0d5a45
                                                                                                              • Opcode Fuzzy Hash: ccb8355692fd12cc5d7ec1d2052afba0f0a978eb4801aa3ca5af5ddae88f4458
                                                                                                              • Instruction Fuzzy Hash: 41219E71E01298AAEF18EFE8D854BADBBB9EF54700F04444EE806A7390DB709E05DF50
                                                                                                              Function 02CECD7A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CECD7F
                                                                                                                • Part of subcall function 02CED33D: std::exception::exception.LIBCMT ref: 02CED36A
                                                                                                                • Part of subcall function 02CEDB53: __EH_prolog.LIBCMT ref: 02CEDB58
                                                                                                                • Part of subcall function 02CF3B2C: _malloc.LIBCMT ref: 02CF3B44
                                                                                                                • Part of subcall function 02CED39A: __EH_prolog.LIBCMT ref: 02CED39F
                                                                                                              Strings
                                                                                                              • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02CECDB5
                                                                                                              • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02CECDBC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog$_mallocstd::exception::exception
                                                                                                              • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                                                              • API String ID: 1953324306-412195191
                                                                                                              • Opcode ID: fd2c1b78ed494636f5dcfb6e76c9344ad0e6e014973aab3e9a957663292652f9
                                                                                                              • Instruction ID: 1826a8bad27f2d7d63bd51ae5d21f8ecebc6d554c3a6036b2795df6c6c8fdb10
                                                                                                              • Opcode Fuzzy Hash: fd2c1b78ed494636f5dcfb6e76c9344ad0e6e014973aab3e9a957663292652f9
                                                                                                              • Instruction Fuzzy Hash: 3C219E71E00248AAEF18EFE8E554BEDBBB9EF54300F00455DE806A73A0DBB05A45DB91
                                                                                                              Function 02CE2AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WSASetLastError.WS2_32(00000000), ref: 02CE2AEA
                                                                                                              • connect.WS2_32(?,?,?), ref: 02CE2AF5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastconnect
                                                                                                              • String ID: 3'
                                                                                                              • API String ID: 374722065-280543908
                                                                                                              • Opcode ID: 6907465f2517984d548ad10aa209e1d6f8fb9e37af8e61664d44c5dab8da2278
                                                                                                              • Instruction ID: 3d0e330b4910be2e5674877de8b0bd52fda5ad6a39476bd5ea32570179992a35
                                                                                                              • Opcode Fuzzy Hash: 6907465f2517984d548ad10aa209e1d6f8fb9e37af8e61664d44c5dab8da2278
                                                                                                              • Instruction Fuzzy Hash: 0321DA71D00204ABDF14AF74C4447AEB7BEDF44324F004159DD1B97381DBB45A019FA1
                                                                                                              Function 02CE534D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _malloc.LIBCMT ref: 02CE535D
                                                                                                                • Part of subcall function 02CF2F8C: __FF_MSGBANNER.LIBCMT ref: 02CF2FA3
                                                                                                                • Part of subcall function 02CF2F8C: __NMSG_WRITE.LIBCMT ref: 02CF2FAA
                                                                                                                • Part of subcall function 02CF2F8C: RtlAllocateHeap.NTDLL(00850000,00000000,00000001), ref: 02CF2FCF
                                                                                                              • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 02CE536F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateFolderHeapPathSpecial_malloc
                                                                                                              • String ID: \save.dat
                                                                                                              • API String ID: 4128168839-3580179773
                                                                                                              • Opcode ID: 30a639bb2a285b8f9fa7c708e343614f9bef1c498030229fcf153a837723463e
                                                                                                              • Instruction ID: 71b11fe300ef0a710e6cbfef43cce1bfc73f439f221899e7cd6ab889361b1c42
                                                                                                              • Opcode Fuzzy Hash: 30a639bb2a285b8f9fa7c708e343614f9bef1c498030229fcf153a837723463e
                                                                                                              • Instruction Fuzzy Hash: C11190729043407BDF258E658CC0E9FFF67DFC2694B1002E9E8496B341DBA30E02D6A0
                                                                                                              Function 02CF452B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 02CF9566
                                                                                                              • ___raise_securityfailure.LIBCMT ref: 02CF964D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                              • String ID: 2?ss
                                                                                                              • API String ID: 3761405300-2572109608
                                                                                                              • Opcode ID: b1f623b9b5aac36b3fb151081021cec97ca26ec8dfe9205d1fdf1d382438e038
                                                                                                              • Instruction ID: c36d3159a8707999e99c792225281cc6fb67a3edf98efc5f8cf66d95178273a9
                                                                                                              • Opcode Fuzzy Hash: b1f623b9b5aac36b3fb151081021cec97ca26ec8dfe9205d1fdf1d382438e038
                                                                                                              • Instruction Fuzzy Hash: 4021D4B4E82304ABE758DF14F5417507BFCBB48714F10592AE6089BB98E3B19D62CF84
                                                                                                              Function 02CE3965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE396A
                                                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02CE39C1
                                                                                                                • Part of subcall function 02CE1410: std::exception::exception.LIBCMT ref: 02CE1428
                                                                                                                • Part of subcall function 02CEA5F4: __EH_prolog.LIBCMT ref: 02CEA5F9
                                                                                                                • Part of subcall function 02CEA5F4: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02CEA608
                                                                                                                • Part of subcall function 02CEA5F4: __CxxThrowException@8.LIBCMT ref: 02CEA627
                                                                                                              Strings
                                                                                                              • Day of month is not valid for year, xrefs: 02CE39AC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                              • String ID: Day of month is not valid for year
                                                                                                              • API String ID: 1404951899-1521898139
                                                                                                              • Opcode ID: 9b2af99047a70fb05ebaf97aea009e1fd8c2a18b90f12dc3bda61476d3e20282
                                                                                                              • Instruction ID: 54d4d146e84181c6dc6056ff0c6a5c99b4ea1e53cea004609c16049805a450dc
                                                                                                              • Opcode Fuzzy Hash: 9b2af99047a70fb05ebaf97aea009e1fd8c2a18b90f12dc3bda61476d3e20282
                                                                                                              • Instruction Fuzzy Hash: 4E01B17A910249AEDF04EFA4E841BEEB779FF18710F40401AEC0593350EB705E55DBA5
                                                                                                              Function 02CEB0D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::exception::exception.LIBCMT ref: 02CEFAED
                                                                                                              • __CxxThrowException@8.LIBCMT ref: 02CEFB02
                                                                                                                • Part of subcall function 02CF3B2C: _malloc.LIBCMT ref: 02CF3B44
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                              • String ID: bad allocation
                                                                                                              • API String ID: 4063778783-2104205924
                                                                                                              • Opcode ID: a40e485084d0a1ad384ad8e0e04256cb9366144945e5b21fed0bc9f1f7f8bb23
                                                                                                              • Instruction ID: 2e19ad9cef8234eef082b208150b22c136be19bc2618a36861bafda6fe1d8af0
                                                                                                              • Opcode Fuzzy Hash: a40e485084d0a1ad384ad8e0e04256cb9366144945e5b21fed0bc9f1f7f8bb23
                                                                                                              • Instruction Fuzzy Hash: F6F089B060030D679F08B6A59956ABF73ADFB04218B500559A522D27D0EBB0EE04D5D5
                                                                                                              Function 02CE3C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE3C1B
                                                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 02CE3C30
                                                                                                                • Part of subcall function 02CF2497: std::exception::exception.LIBCMT ref: 02CF24A1
                                                                                                                • Part of subcall function 02CEA62D: __EH_prolog.LIBCMT ref: 02CEA632
                                                                                                                • Part of subcall function 02CEA62D: __CxxThrowException@8.LIBCMT ref: 02CEA65B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                              • String ID: bad cast
                                                                                                              • API String ID: 1300498068-3145022300
                                                                                                              • Opcode ID: 415127621b98540d428dc206dc27832a119d695a7d856e8778ef9b085cbd3931
                                                                                                              • Instruction ID: 1b6a5bd1d4eaf6e40f0bbcb912bbac55cce283fd784190004d1b298c8013608a
                                                                                                              • Opcode Fuzzy Hash: 415127621b98540d428dc206dc27832a119d695a7d856e8778ef9b085cbd3931
                                                                                                              • Instruction Fuzzy Hash: 5AF0A772900504CBCB09DF58E440AEAB775FF51311F10016EED065B350CBB29E46DEA5
                                                                                                              Function 02CE38CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE38D2
                                                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02CE38F1
                                                                                                                • Part of subcall function 02CE1410: std::exception::exception.LIBCMT ref: 02CE1428
                                                                                                                • Part of subcall function 02CE8962: _memmove.LIBCMT ref: 02CE8982
                                                                                                              Strings
                                                                                                              • Year is out of valid range: 1400..10000, xrefs: 02CE38E0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                              • String ID: Year is out of valid range: 1400..10000
                                                                                                              • API String ID: 3258419250-2344417016
                                                                                                              • Opcode ID: 5d1d589b7214de621a3a088c310a60cbea7330a692b1c0b5674df65517eefd27
                                                                                                              • Instruction ID: 82913565e0ac528d6904b285262d5d26f67596e6480f449200eb3c04b6340c0f
                                                                                                              • Opcode Fuzzy Hash: 5d1d589b7214de621a3a088c310a60cbea7330a692b1c0b5674df65517eefd27
                                                                                                              • Instruction Fuzzy Hash: 80E09272E001049BDB18EBD49855BDDB779EB08B10F14054AD946637D0EAB11D04DBA5
                                                                                                              Function 02CE3881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE3886
                                                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02CE38A5
                                                                                                                • Part of subcall function 02CE1410: std::exception::exception.LIBCMT ref: 02CE1428
                                                                                                                • Part of subcall function 02CE8962: _memmove.LIBCMT ref: 02CE8982
                                                                                                              Strings
                                                                                                              • Day of month value is out of range 1..31, xrefs: 02CE3894
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                              • String ID: Day of month value is out of range 1..31
                                                                                                              • API String ID: 3258419250-1361117730
                                                                                                              • Opcode ID: ff25587f0ec38b165f2f8b0eb60dffdb150377d3839c4ef758d73894b72cebe8
                                                                                                              • Instruction ID: f7a1321ec39f577bbade982db553eacc6fea28d979387a8bc62ed4a020976e45
                                                                                                              • Opcode Fuzzy Hash: ff25587f0ec38b165f2f8b0eb60dffdb150377d3839c4ef758d73894b72cebe8
                                                                                                              • Instruction Fuzzy Hash: 79E09272E001049BDB18AB949855BDDB779EB08B10F54415ADC06737D0EAB11D04DBA1
                                                                                                              Function 02CE3919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE391E
                                                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02CE393D
                                                                                                                • Part of subcall function 02CE1410: std::exception::exception.LIBCMT ref: 02CE1428
                                                                                                                • Part of subcall function 02CE8962: _memmove.LIBCMT ref: 02CE8982
                                                                                                              Strings
                                                                                                              • Month number is out of range 1..12, xrefs: 02CE392C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                              • String ID: Month number is out of range 1..12
                                                                                                              • API String ID: 3258419250-4198407886
                                                                                                              • Opcode ID: 04ddac4bbfb7e9f803fc60eb839cb412e840c5aa758d7772fa44ffab3934d796
                                                                                                              • Instruction ID: 04316263d1a92e80079e57337799d8a7574fc6e23e2151616848c8778cf89e6c
                                                                                                              • Opcode Fuzzy Hash: 04ddac4bbfb7e9f803fc60eb839cb412e840c5aa758d7772fa44ffab3934d796
                                                                                                              • Instruction Fuzzy Hash: 4EE09272E00204DBEB18AB949855BDDB779EB08B10F14014AD806637D0EAF11D049BA5
                                                                                                              Function 02CE19C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • TlsAlloc.KERNEL32 ref: 02CE19CC
                                                                                                              • GetLastError.KERNEL32 ref: 02CE19D9
                                                                                                                • Part of subcall function 02CE1712: __EH_prolog.LIBCMT ref: 02CE1717
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocErrorH_prologLast
                                                                                                              • String ID: tss
                                                                                                              • API String ID: 249634027-1638339373
                                                                                                              • Opcode ID: 45fb12a7f295788fabf6089f5972d147fdbc331789892577fc5a78074c92e062
                                                                                                              • Instruction ID: 5da0612126bc3216570349c4429fe8b22e32640154cbfb798835b569c180d29e
                                                                                                              • Opcode Fuzzy Hash: 45fb12a7f295788fabf6089f5972d147fdbc331789892577fc5a78074c92e062
                                                                                                              • Instruction Fuzzy Hash: BAE02632D002104BC2003B38DC4948FFBA49A84230F108726ECAE873E0EA705D208BD2
                                                                                                              Function 02CE3BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02CE3BD8
                                                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 02CE3BED
                                                                                                                • Part of subcall function 02CF2497: std::exception::exception.LIBCMT ref: 02CF24A1
                                                                                                                • Part of subcall function 02CEA62D: __EH_prolog.LIBCMT ref: 02CEA632
                                                                                                                • Part of subcall function 02CEA62D: __CxxThrowException@8.LIBCMT ref: 02CEA65B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3607455003.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_2ce1000_zextervideocodec32.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                              • String ID: bad cast
                                                                                                              • API String ID: 1300498068-3145022300
                                                                                                              • Opcode ID: 6c8eaf6b0c066142b32e9280111c5e08c2dee02f7ee29e6a268f1c3ff206b1b8
                                                                                                              • Instruction ID: c8786467ef11c7c5864dbbd6b4b0ea9e011184109a7e96c5f966baeccaaf8625
                                                                                                              • Opcode Fuzzy Hash: 6c8eaf6b0c066142b32e9280111c5e08c2dee02f7ee29e6a268f1c3ff206b1b8
                                                                                                              • Instruction Fuzzy Hash: 05E09AB0900108DBCB08EF94E481BBCBB71EF40301F1040A99D07477A0CB715E06CE96
                                                                                                              Function 00404A70 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404A98
                                                                                                              • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404ACC
                                                                                                              • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404AE6
                                                                                                              • HeapFree.KERNEL32(00000000,?,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404AFD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.3605154999.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.3605154999.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_400000_zextervideocodec32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocHeap$FreeVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 3499195154-0
                                                                                                              • Opcode ID: 326bc21520183113991a8339bf2de7ac4146e2f373772080d0e11da3f1adebb6
                                                                                                              • Instruction ID: e2b6aa67baf941fda6b0a0502f281f3949fe5c10b928d307e266fea8edbc1969
                                                                                                              • Opcode Fuzzy Hash: 326bc21520183113991a8339bf2de7ac4146e2f373772080d0e11da3f1adebb6
                                                                                                              • Instruction Fuzzy Hash: 1E1113B0201601EFC7208F19EE85E227BB5FB857217114A3AF692E65F1D770A845CB4C