Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ui6sm6N5JG.exe

Overview

General Information

Sample name:Ui6sm6N5JG.exe
renamed because original name is a hash value
Original sample name:4eb0ec18b14f303b5de820f0a82c747b.exe
Analysis ID:1527901
MD5:4eb0ec18b14f303b5de820f0a82c747b
SHA1:1483f2c301140245e3c2c8695db704e2971ab778
SHA256:5ef90c4636c4d4e6684e16bcb057e914a9e318098f87d196c09017f84e9229c3
Tags:32exe
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
PE file has a writeable .text section
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Ui6sm6N5JG.exe (PID: 5140 cmdline: "C:\Users\user\Desktop\Ui6sm6N5JG.exe" MD5: 4EB0EC18B14F303B5DE820F0A82C747B)
    • Ui6sm6N5JG.tmp (PID: 1212 cmdline: "C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp" /SL5="$203D2,4256353,54272,C:\Users\user\Desktop\Ui6sm6N5JG.exe" MD5: C6A64497A14D9C70B36107218E969B1F)
      • jennyvideoconverter.exe (PID: 3508 cmdline: "C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe" -i MD5: DB1B847C721315246794C6FF66CF49AD)
  • cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["bfliimi.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3720875563.000000000288D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
    00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
      Process Memory Space: jennyvideoconverter.exe PID: 3508JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-07T11:22:48.971344+020020494671A Network Trojan was detected192.168.2.659604185.208.158.24880TCP
        2024-10-07T11:22:49.793291+020020494671A Network Trojan was detected192.168.2.659605185.208.158.24880TCP
        2024-10-07T11:22:50.605563+020020494671A Network Trojan was detected192.168.2.659606185.208.158.24880TCP
        2024-10-07T11:22:51.438713+020020494671A Network Trojan was detected192.168.2.659607185.208.158.24880TCP
        2024-10-07T11:22:51.789175+020020494671A Network Trojan was detected192.168.2.659607185.208.158.24880TCP
        2024-10-07T11:22:52.620859+020020494671A Network Trojan was detected192.168.2.659608185.208.158.24880TCP
        2024-10-07T11:22:53.436040+020020494671A Network Trojan was detected192.168.2.659609185.208.158.24880TCP
        2024-10-07T11:22:54.253416+020020494671A Network Trojan was detected192.168.2.659610185.208.158.24880TCP
        2024-10-07T11:22:54.603727+020020494671A Network Trojan was detected192.168.2.659610185.208.158.24880TCP
        2024-10-07T11:22:55.722808+020020494671A Network Trojan was detected192.168.2.659611185.208.158.24880TCP
        2024-10-07T11:22:56.066569+020020494671A Network Trojan was detected192.168.2.659611185.208.158.24880TCP
        2024-10-07T11:22:56.417077+020020494671A Network Trojan was detected192.168.2.659611185.208.158.24880TCP
        2024-10-07T11:22:57.226712+020020494671A Network Trojan was detected192.168.2.659612185.208.158.24880TCP
        2024-10-07T11:22:58.598360+020020494671A Network Trojan was detected192.168.2.659613185.208.158.24880TCP
        2024-10-07T11:22:58.947800+020020494671A Network Trojan was detected192.168.2.659613185.208.158.24880TCP
        2024-10-07T11:22:59.785585+020020494671A Network Trojan was detected192.168.2.659614185.208.158.24880TCP
        2024-10-07T11:23:00.136536+020020494671A Network Trojan was detected192.168.2.659614185.208.158.24880TCP
        2024-10-07T11:23:00.948441+020020494671A Network Trojan was detected192.168.2.659615185.208.158.24880TCP
        2024-10-07T11:23:01.761798+020020494671A Network Trojan was detected192.168.2.659616185.208.158.24880TCP
        2024-10-07T11:23:02.574438+020020494671A Network Trojan was detected192.168.2.659617185.208.158.24880TCP
        2024-10-07T11:23:03.402706+020020494671A Network Trojan was detected192.168.2.659618185.208.158.24880TCP
        2024-10-07T11:23:04.210530+020020494671A Network Trojan was detected192.168.2.659619185.208.158.24880TCP
        2024-10-07T11:23:05.259815+020020494671A Network Trojan was detected192.168.2.659620185.208.158.24880TCP
        2024-10-07T11:23:06.082723+020020494671A Network Trojan was detected192.168.2.659621185.208.158.24880TCP
        2024-10-07T11:23:07.028879+020020494671A Network Trojan was detected192.168.2.659622185.208.158.24880TCP
        2024-10-07T11:23:08.126262+020020494671A Network Trojan was detected192.168.2.659623185.208.158.24880TCP
        2024-10-07T11:23:08.472640+020020494671A Network Trojan was detected192.168.2.659623185.208.158.24880TCP
        2024-10-07T11:23:08.816538+020020494671A Network Trojan was detected192.168.2.659623185.208.158.24880TCP
        2024-10-07T11:23:09.165971+020020494671A Network Trojan was detected192.168.2.659623185.208.158.24880TCP
        2024-10-07T11:23:09.991703+020020494671A Network Trojan was detected192.168.2.659624185.208.158.24880TCP
        2024-10-07T11:23:10.806083+020020494671A Network Trojan was detected192.168.2.659625185.208.158.24880TCP
        2024-10-07T11:23:11.620732+020020494671A Network Trojan was detected192.168.2.659626185.208.158.24880TCP
        2024-10-07T11:23:12.449162+020020494671A Network Trojan was detected192.168.2.659627185.208.158.24880TCP
        2024-10-07T11:23:13.280081+020020494671A Network Trojan was detected192.168.2.659628185.208.158.24880TCP
        2024-10-07T11:23:14.087196+020020494671A Network Trojan was detected192.168.2.659629185.208.158.24880TCP
        2024-10-07T11:23:14.949401+020020494671A Network Trojan was detected192.168.2.659630185.208.158.24880TCP
        2024-10-07T11:23:15.791854+020020494671A Network Trojan was detected192.168.2.659631185.208.158.24880TCP
        2024-10-07T11:23:17.536737+020020494671A Network Trojan was detected192.168.2.659632185.208.158.24880TCP
        2024-10-07T11:23:17.883289+020020494671A Network Trojan was detected192.168.2.659632185.208.158.24880TCP
        2024-10-07T11:23:18.716795+020020494671A Network Trojan was detected192.168.2.659633185.208.158.24880TCP
        2024-10-07T11:23:19.526097+020020494671A Network Trojan was detected192.168.2.659634185.208.158.24880TCP
        2024-10-07T11:23:20.348524+020020494671A Network Trojan was detected192.168.2.659635185.208.158.24880TCP
        2024-10-07T11:23:20.694652+020020494671A Network Trojan was detected192.168.2.659635185.208.158.24880TCP
        2024-10-07T11:23:21.512749+020020494671A Network Trojan was detected192.168.2.659636185.208.158.24880TCP
        2024-10-07T11:23:22.316563+020020494671A Network Trojan was detected192.168.2.659637185.208.158.24880TCP
        2024-10-07T11:23:22.659710+020020494671A Network Trojan was detected192.168.2.659637185.208.158.24880TCP
        2024-10-07T11:23:23.003436+020020494671A Network Trojan was detected192.168.2.659637185.208.158.24880TCP
        2024-10-07T11:23:23.347525+020020494671A Network Trojan was detected192.168.2.659637185.208.158.24880TCP
        2024-10-07T11:23:23.692253+020020494671A Network Trojan was detected192.168.2.659637185.208.158.24880TCP
        2024-10-07T11:23:24.553256+020020494671A Network Trojan was detected192.168.2.659638185.208.158.24880TCP
        2024-10-07T11:23:25.374154+020020494671A Network Trojan was detected192.168.2.659639185.208.158.24880TCP
        2024-10-07T11:23:26.174407+020020494671A Network Trojan was detected192.168.2.659640185.208.158.24880TCP
        2024-10-07T11:23:26.519407+020020494671A Network Trojan was detected192.168.2.659640185.208.158.24880TCP
        2024-10-07T11:23:26.862449+020020494671A Network Trojan was detected192.168.2.659640185.208.158.24880TCP
        2024-10-07T11:23:27.206489+020020494671A Network Trojan was detected192.168.2.659640185.208.158.24880TCP
        2024-10-07T11:23:27.550688+020020494671A Network Trojan was detected192.168.2.659640185.208.158.24880TCP
        2024-10-07T11:23:27.894076+020020494671A Network Trojan was detected192.168.2.659640185.208.158.24880TCP
        2024-10-07T11:23:28.240936+020020494671A Network Trojan was detected192.168.2.659640185.208.158.24880TCP
        2024-10-07T11:23:29.068530+020020494671A Network Trojan was detected192.168.2.659641185.208.158.24880TCP
        2024-10-07T11:23:30.094304+020020494671A Network Trojan was detected192.168.2.659642185.208.158.24880TCP
        2024-10-07T11:23:30.443202+020020494671A Network Trojan was detected192.168.2.659642185.208.158.24880TCP
        2024-10-07T11:23:31.379470+020020494671A Network Trojan was detected192.168.2.659643185.208.158.24880TCP
        2024-10-07T11:23:31.723779+020020494671A Network Trojan was detected192.168.2.659643185.208.158.24880TCP
        2024-10-07T11:23:32.531358+020020494671A Network Trojan was detected192.168.2.659644185.208.158.24880TCP
        2024-10-07T11:23:33.345283+020020494671A Network Trojan was detected192.168.2.659645185.208.158.24880TCP
        2024-10-07T11:23:33.690618+020020494671A Network Trojan was detected192.168.2.659645185.208.158.24880TCP
        2024-10-07T11:23:34.484914+020020494671A Network Trojan was detected192.168.2.659646185.208.158.24880TCP
        2024-10-07T11:23:34.832092+020020494671A Network Trojan was detected192.168.2.659646185.208.158.24880TCP
        2024-10-07T11:23:35.641275+020020494671A Network Trojan was detected192.168.2.659647185.208.158.24880TCP
        2024-10-07T11:23:36.538140+020020494671A Network Trojan was detected192.168.2.659648185.208.158.24880TCP
        2024-10-07T11:23:37.353501+020020494671A Network Trojan was detected192.168.2.659649185.208.158.24880TCP
        2024-10-07T11:23:38.189415+020020494671A Network Trojan was detected192.168.2.659650185.208.158.24880TCP
        2024-10-07T11:23:38.541652+020020494671A Network Trojan was detected192.168.2.659650185.208.158.24880TCP
        2024-10-07T11:23:39.350926+020020494671A Network Trojan was detected192.168.2.659651185.208.158.24880TCP
        2024-10-07T11:23:40.156889+020020494671A Network Trojan was detected192.168.2.659652185.208.158.24880TCP
        2024-10-07T11:23:40.509367+020020494671A Network Trojan was detected192.168.2.659652185.208.158.24880TCP
        2024-10-07T11:23:41.324682+020020494671A Network Trojan was detected192.168.2.659653185.208.158.24880TCP
        2024-10-07T11:23:42.126233+020020494671A Network Trojan was detected192.168.2.659654185.208.158.24880TCP
        2024-10-07T11:23:42.472059+020020494671A Network Trojan was detected192.168.2.659654185.208.158.24880TCP
        2024-10-07T11:23:42.828523+020020494671A Network Trojan was detected192.168.2.659654185.208.158.24880TCP
        2024-10-07T11:23:43.643600+020020494671A Network Trojan was detected192.168.2.659655185.208.158.24880TCP
        2024-10-07T11:23:43.988232+020020494671A Network Trojan was detected192.168.2.659655185.208.158.24880TCP
        2024-10-07T11:23:44.331345+020020494671A Network Trojan was detected192.168.2.659655185.208.158.24880TCP
        2024-10-07T11:23:44.678740+020020494671A Network Trojan was detected192.168.2.659655185.208.158.24880TCP
        2024-10-07T11:23:45.507144+020020494671A Network Trojan was detected192.168.2.659656185.208.158.24880TCP
        2024-10-07T11:23:46.331991+020020494671A Network Trojan was detected192.168.2.659657185.208.158.24880TCP
        2024-10-07T11:23:47.153383+020020494671A Network Trojan was detected192.168.2.659658185.208.158.24880TCP
        2024-10-07T11:23:47.959221+020020494671A Network Trojan was detected192.168.2.659659185.208.158.24880TCP
        2024-10-07T11:23:48.768707+020020494671A Network Trojan was detected192.168.2.659660185.208.158.24880TCP
        2024-10-07T11:23:49.582074+020020494671A Network Trojan was detected192.168.2.659661185.208.158.24880TCP
        2024-10-07T11:23:50.394559+020020494671A Network Trojan was detected192.168.2.659662185.208.158.24880TCP
        2024-10-07T11:23:51.207363+020020494671A Network Trojan was detected192.168.2.659663185.208.158.24880TCP
        2024-10-07T11:23:52.017660+020020494671A Network Trojan was detected192.168.2.659664185.208.158.24880TCP
        2024-10-07T11:23:52.843624+020020494671A Network Trojan was detected192.168.2.659665185.208.158.24880TCP
        2024-10-07T11:23:53.689584+020020494671A Network Trojan was detected192.168.2.659666185.208.158.24880TCP
        2024-10-07T11:23:54.488231+020020494671A Network Trojan was detected192.168.2.659667185.208.158.24880TCP
        2024-10-07T11:23:55.303481+020020494671A Network Trojan was detected192.168.2.659668185.208.158.24880TCP
        2024-10-07T11:23:56.113060+020020494671A Network Trojan was detected192.168.2.659669185.208.158.24880TCP
        2024-10-07T11:23:56.925112+020020494671A Network Trojan was detected192.168.2.659670185.208.158.24880TCP
        2024-10-07T11:23:57.723175+020020494671A Network Trojan was detected192.168.2.659672185.208.158.24880TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: Ui6sm6N5JG.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeAvira: detection malicious, Label: HEUR/AGEN.1329998
        Source: C:\ProgramData\ET Ammeter Side 10.7.46\ET Ammeter Side 10.7.46.exeAvira: detection malicious, Label: HEUR/AGEN.1329998
        Found malware configuration
        Source: jennyvideoconverter.exe.3508.5.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["bfliimi.com"]}
        Multi AV Scanner detection for submitted file
        Source: Ui6sm6N5JG.exeReversingLabs: Detection: 15%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeJoe Sandbox ML: detected
        Source: C:\ProgramData\ET Ammeter Side 10.7.46\ET Ammeter Side 10.7.46.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0045D4EC GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,2_2_0045D4EC
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0045D5A0 ArcFourCrypt,2_2_0045D5A0
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0045D5B8 ArcFourCrypt,2_2_0045D5B8
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_10001000 ISCryptGetVersion,2_2_10001000
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_10001130 ArcFourCrypt,2_2_10001130

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeUnpacked PE file: 5.2.jennyvideoconverter.exe.400000.0.unpack
        Source: Ui6sm6N5JG.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00452A4C FindFirstFileA,GetLastError,2_2_00452A4C
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004751F8 FindFirstFileA,FindNextFileA,FindClose,2_2_004751F8
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00464048 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_00464048
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004644C4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_004644C4
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00462ABC FindFirstFileA,FindNextFileA,FindClose,2_2_00462ABC
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00497A74 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,2_2_00497A74

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59609 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59625 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59623 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59610 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59636 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59606 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59628 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59633 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59618 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59604 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59637 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59621 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59611 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59616 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59613 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59612 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59615 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59646 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59662 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59641 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59668 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59645 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59638 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59630 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59654 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59619 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59624 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59605 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59659 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59608 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59607 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59629 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59644 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59655 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59643 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59635 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59650 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59647 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59658 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59632 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59649 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59663 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59617 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59634 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59665 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59626 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59652 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59620 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59639 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59622 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59640 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59660 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59656 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59651 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59648 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59664 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59614 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59653 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59642 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59672 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59670 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59657 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59661 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59669 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59666 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59667 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59627 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:59631 -> 185.208.158.248:80
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: bfliimi.com
        Source: Joe Sandbox ViewIP Address: 185.208.158.248 185.208.158.248
        Source: Joe Sandbox ViewASN Name: SIMPLECARRER2IT SIMPLECARRER2IT
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 91.211.247.248
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02CE72AB Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,_free,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,_free,5_2_02CE72AB
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1Host: bfliimi.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
        Source: global trafficDNS traffic detected: DNS query: bfliimi.com
        Source: jennyvideoconverter.exe, 00000005.00000002.3719599246.000000000096B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.1
        Source: jennyvideoconverter.exe, 00000005.00000002.3719599246.000000000096B000.00000004.00000020.00020000.00000000.sdmp, jennyvideoconverter.exe, 00000005.00000002.3719599246.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/
        Source: jennyvideoconverter.exe, 00000005.00000002.3722353028.0000000003535000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78
        Source: jennyvideoconverter.exe, 00000005.00000002.3719599246.000000000095F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12e
        Source: jennyvideoconverter.exe, 00000005.00000002.3719599246.000000000095F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82d
        Source: Ui6sm6N5JG.exe, 00000001.00000003.2459061784.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.exe, 00000001.00000002.3719321321.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000003.2461601524.0000000002130000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000002.3720088625.0000000002120000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000002.3719353561.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000003.2461415567.0000000003110000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fsf.org/
        Source: is-B1CI2.tmp.2.drString found in binary or memory: http://mingw-w64.sourceforge.net/X
        Source: is-AVIN4.tmp.2.drString found in binary or memory: http://tukaani.org/
        Source: is-AVIN4.tmp.2.drString found in binary or memory: http://tukaani.org/xz/
        Source: Ui6sm6N5JG.exe, 00000001.00000003.2459061784.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.exe, 00000001.00000002.3719321321.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000003.2461601524.0000000002130000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000002.3720088625.0000000002120000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000002.3719353561.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000003.2461415567.0000000003110000.00000004.00001000.00020000.00000000.sdmp, is-S75UE.tmp.2.drString found in binary or memory: http://www.gnu.org/licenses/
        Source: Ui6sm6N5JG.tmp, Ui6sm6N5JG.tmp, 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Ui6sm6N5JG.tmp.1.dr, is-A5OG2.tmp.2.drString found in binary or memory: http://www.innosetup.com/
        Source: Ui6sm6N5JG.exe, 00000001.00000003.2459642338.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.exe, 00000001.00000003.2459481267.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, Ui6sm6N5JG.tmp, 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Ui6sm6N5JG.tmp.1.dr, is-A5OG2.tmp.2.drString found in binary or memory: http://www.remobjects.com/ps
        Source: Ui6sm6N5JG.exe, 00000001.00000003.2459642338.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.exe, 00000001.00000003.2459481267.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Ui6sm6N5JG.tmp.1.dr, is-A5OG2.tmp.2.drString found in binary or memory: http://www.remobjects.com/psU

        System Summary

        barindex
        PE file has a writeable .text section
        Source: jennyvideoconverter.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: ET Ammeter Side 10.7.46.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0042F530 NtdllDefWindowProc_A,2_2_0042F530
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00423B94 NtdllDefWindowProc_A,2_2_00423B94
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004125E8 NtdllDefWindowProc_A,2_2_004125E8
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004789DC NtdllDefWindowProc_A,2_2_004789DC
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004573CC PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,2_2_004573CC
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,2_2_0042E944
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: 1_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00409448
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004555D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_004555D0
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: 1_2_0040840C1_2_0040840C
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004804C62_2_004804C6
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004709502_2_00470950
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004352D82_2_004352D8
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004677102_2_00467710
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0043036C2_2_0043036C
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004444D82_2_004444D8
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004345D42_2_004345D4
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004866042_2_00486604
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00444A802_2_00444A80
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00430EF82_2_00430EF8
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004451782_2_00445178
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0045F4302_2_0045F430
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0045B4D82_2_0045B4D8
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004875642_2_00487564
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004455842_2_00445584
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004697702_2_00469770
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0048D8C42_2_0048D8C4
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004519A82_2_004519A8
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0043DD602_2_0043DD60
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_004010515_2_00401051
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_00401C265_2_00401C26
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02D1E0025_2_02D1E002
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02D1B4E55_2_02D1B4E5
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02D1BCEB5_2_02D1BCEB
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02D1BD585_2_02D1BD58
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02D053A05_2_02D053A0
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02CFE18D5_2_02CFE18D
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02CF9E845_2_02CF9E84
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02D04E295_2_02D04E29
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02CEEFAD5_2_02CEEFAD
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02CFDC995_2_02CFDC99
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02CF84425_2_02CF8442
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02CFAC3A5_2_02CFAC3A
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02D02DB45_2_02D02DB4
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02CFE5A55_2_02CFE5A5
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Jenny Video Converter\is-4LQ96.tmp FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: String function: 02D05330 appears 139 times
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: String function: 02CF8AE0 appears 37 times
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: String function: 00405964 appears 116 times
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: String function: 00408C14 appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: String function: 00406ACC appears 41 times
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: String function: 00403400 appears 61 times
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: String function: 00445DE4 appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: String function: 004078FC appears 43 times
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: String function: 004344EC appears 32 times
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: String function: 00403494 appears 82 times
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: String function: 00457D58 appears 73 times
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: String function: 00453330 appears 93 times
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: String function: 00457B4C appears 98 times
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: String function: 00403684 appears 221 times
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: String function: 004460B4 appears 59 times
        Source: Ui6sm6N5JG.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: Ui6sm6N5JG.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: Ui6sm6N5JG.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: Ui6sm6N5JG.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: Ui6sm6N5JG.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-A5OG2.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: is-A5OG2.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: is-A5OG2.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: is-A5OG2.tmp.2.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-S9QR6.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-DPTDR.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-QDATH.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-C1NKQ.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-MQ62A.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-8RBIL.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-4LQ96.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-AVIN4.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-RO1GN.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-B1CI2.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: is-S75UE.tmp.2.drStatic PE information: Number of sections : 11 > 10
        Source: Ui6sm6N5JG.exe, 00000001.00000003.2459642338.00000000021D4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Ui6sm6N5JG.exe
        Source: Ui6sm6N5JG.exe, 00000001.00000003.2459481267.00000000024B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Ui6sm6N5JG.exe
        Source: Ui6sm6N5JG.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: _RegDLL.tmp.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@5/69@2/1
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02CF08B8 FormatMessageA,GetLastError,5_2_02CF08B8
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: 1_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00409448
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004555D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_004555D0
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00455DF8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,2_2_00455DF8
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_00402524
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0046E38C GetVersion,CoCreateInstance,2_2_0046E38C
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: 1_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,1_2_00409BEC
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_0040224F lstrcmpiW,SetEvent,StartServiceCtrlDispatcherA,5_2_0040224F
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_0040224F lstrcmpiW,SetEvent,StartServiceCtrlDispatcherA,5_2_0040224F
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_0040B218 StartServiceCtrlDispatcherA,5_2_0040B218
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_004021F7 StartServiceCtrlDispatcherA,5_2_004021F7
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video ConverterJump to behavior
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeFile created: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile read: C:\Windows\win.iniJump to behavior
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Ui6sm6N5JG.exeReversingLabs: Detection: 15%
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeFile read: C:\Users\user\Desktop\Ui6sm6N5JG.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Ui6sm6N5JG.exe "C:\Users\user\Desktop\Ui6sm6N5JG.exe"
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeProcess created: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp "C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp" /SL5="$203D2,4256353,54272,C:\Users\user\Desktop\Ui6sm6N5JG.exe"
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpProcess created: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe "C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe" -i
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeProcess created: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp "C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp" /SL5="$203D2,4256353,54272,C:\Users\user\Desktop\Ui6sm6N5JG.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpProcess created: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe "C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe" -iJump to behavior
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: explorerframe.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: dsound.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpWindow found: window name: TMainFormJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: Ui6sm6N5JG.exeStatic file information: File size 4537644 > 1048576

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeUnpacked PE file: 5.2.jennyvideoconverter.exe.400000.0.unpack .text:EW;.rdata:R;_cde_4:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeUnpacked PE file: 5.2.jennyvideoconverter.exe.400000.0.unpack
        Source: is-LFUVE.tmp.2.drStatic PE information: 0x8C00008C [Mon Jun 6 07:19:40 2044 UTC]
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004502AC GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_004502AC
        Source: jennyvideoconverter.exe.2.drStatic PE information: section name: _cde_4
        Source: is-MQ62A.tmp.2.drStatic PE information: section name: /4
        Source: is-P5UA0.tmp.2.drStatic PE information: section name: /4
        Source: is-8RBIL.tmp.2.drStatic PE information: section name: /4
        Source: is-4LQ96.tmp.2.drStatic PE information: section name: /4
        Source: is-UQ9I6.tmp.2.drStatic PE information: section name: /4
        Source: is-EHQOC.tmp.2.drStatic PE information: section name: /4
        Source: is-GEGLG.tmp.2.drStatic PE information: section name: /4
        Source: is-S75UE.tmp.2.drStatic PE information: section name: /4
        Source: is-LFUVE.tmp.2.drStatic PE information: section name: /4
        Source: is-IRD9M.tmp.2.drStatic PE information: section name: /4
        Source: is-QEJVQ.tmp.2.drStatic PE information: section name: /4
        Source: is-C1NKQ.tmp.2.drStatic PE information: section name: /4
        Source: is-9HKT1.tmp.2.drStatic PE information: section name: /4
        Source: is-AVIN4.tmp.2.drStatic PE information: section name: /4
        Source: is-QDATH.tmp.2.drStatic PE information: section name: /4
        Source: is-DPTDR.tmp.2.drStatic PE information: section name: /4
        Source: is-RO1GN.tmp.2.drStatic PE information: section name: /4
        Source: is-F43L8.tmp.2.drStatic PE information: section name: /4
        Source: is-S9QR6.tmp.2.drStatic PE information: section name: /4
        Source: is-BCL55.tmp.2.drStatic PE information: section name: /4
        Source: is-FE0K6.tmp.2.drStatic PE information: section name: /4
        Source: is-NQ9HL.tmp.2.drStatic PE information: section name: /4
        Source: is-CDC06.tmp.2.drStatic PE information: section name: /4
        Source: is-DSDH3.tmp.2.drStatic PE information: section name: /4
        Source: is-R67ES.tmp.2.drStatic PE information: section name: /4
        Source: is-B1CI2.tmp.2.drStatic PE information: section name: /4
        Source: is-IHV98.tmp.2.drStatic PE information: section name: /4
        Source: ET Ammeter Side 10.7.46.exe.5.drStatic PE information: section name: _cde_4
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: 1_2_004065B8 push 004065F5h; ret 1_2_004065ED
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: 1_2_004040B5 push eax; ret 1_2_004040F1
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: 1_2_00408104 push ecx; mov dword ptr [esp], eax1_2_00408109
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: 1_2_00404185 push 00404391h; ret 1_2_00404389
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: 1_2_00404206 push 00404391h; ret 1_2_00404389
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: 1_2_0040C218 push eax; ret 1_2_0040C219
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: 1_2_004042E8 push 00404391h; ret 1_2_00404389
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: 1_2_00404283 push 00404391h; ret 1_2_00404389
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: 1_2_00408F38 push 00408F6Bh; ret 1_2_00408F63
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00409954 push 00409991h; ret 2_2_00409989
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0040A04F push ds; ret 2_2_0040A050
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0040A023 push ds; ret 2_2_0040A04D
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00460088 push ecx; mov dword ptr [esp], ecx2_2_0046008C
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004062CC push ecx; mov dword ptr [esp], eax2_2_004062CD
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0049467C push ecx; mov dword ptr [esp], ecx2_2_00494681
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004106E0 push ecx; mov dword ptr [esp], edx2_2_004106E5
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00412938 push 0041299Bh; ret 2_2_00412993
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0040D038 push ecx; mov dword ptr [esp], edx2_2_0040D03A
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004850AC push ecx; mov dword ptr [esp], ecx2_2_004850B1
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00443450 push ecx; mov dword ptr [esp], ecx2_2_00443454
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0040546D push eax; ret 2_2_004054A9
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0040553D push 00405749h; ret 2_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0040F598 push ecx; mov dword ptr [esp], edx2_2_0040F59A
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004055BE push 00405749h; ret 2_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00459634 push 00459678h; ret 2_2_00459670
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0040563B push 00405749h; ret 2_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004056A0 push 00405749h; ret 2_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004517E4 push 00451817h; ret 2_2_0045180F
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004519A8 push ecx; mov dword ptr [esp], eax2_2_004519AD
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00483A08 push 00483AF7h; ret 2_2_00483AEF
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00477A24 push ecx; mov dword ptr [esp], edx2_2_00477A25

        Persistence and Installation Behavior

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_00401A4F
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_02CEF7D6
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-MQ62A.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-S9QR6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-P5UA0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libpangomm-1.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-4CRD6.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libpangowin32-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libharfbuzz-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libgdkmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-B1CI2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-C1NKQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libsigc-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\liblcms2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libpng16-16.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-4CRD6.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-AVIN4.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libglibmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libwinpthread-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-S75UE.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libpcre-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-DPTDR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-LFUVE.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-CDC06.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-4CRD6.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-4LQ96.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-RO1GN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libpango-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-9HKT1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libgomp-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libpangoft2-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-8RBIL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-QEJVQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\librsvg-2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libgdk_pixbuf-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\uninstall\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-FE0K6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-R67ES.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\zlib1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libgcc_s_dw2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-IRD9M.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\uninstall\is-A5OG2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libpangocairo-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-QDATH.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libgdk-win32-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libgobject-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-EHQOC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-BCL55.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-IHV98.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libtiff-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeFile created: C:\ProgramData\ET Ammeter Side 10.7.46\ET Ammeter Side 10.7.46.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-GEGLG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-4CRD6.tmp\_isetup\_RegDLL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-F43L8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libjpeg-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libgmodule-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\liblzma-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-NQ9HL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-DSDH3.tmpJump to dropped file
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeFile created: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libpixman-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libintl-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\libgraphite2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpFile created: C:\Users\user\AppData\Local\Jenny Video Converter\is-UQ9I6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeFile created: C:\ProgramData\ET Ammeter Side 10.7.46\ET Ammeter Side 10.7.46.exeJump to dropped file

        Boot Survival

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_00401A4F
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_02CEF7D6
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_0040224F lstrcmpiW,SetEvent,StartServiceCtrlDispatcherA,5_2_0040224F
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_00423C1C
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_00423C1C
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004241EC IsIconic,SetActiveWindow,SetFocus,2_2_004241EC
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004241A4 IsIconic,SetActiveWindow,2_2_004241A4
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,2_2_00418394
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,2_2_0042286C
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004833BC IsIconic,GetWindowLongA,ShowWindow,ShowWindow,2_2_004833BC
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004175A8 IsIconic,GetCapture,2_2_004175A8
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00417CDE IsIconic,SetWindowPos,2_2_00417CDE
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,2_2_00417CE0
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,2_2_0041F128
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,5_2_00401B4B
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,5_2_02CEF8DA
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeWindow / User API: threadDelayed 9727Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-MQ62A.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-P5UA0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-S9QR6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libpangomm-1.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4CRD6.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libpangowin32-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libharfbuzz-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libgdkmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-B1CI2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-C1NKQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libsigc-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\liblcms2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libpng16-16.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4CRD6.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-AVIN4.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libglibmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libwinpthread-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-S75UE.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libpcre-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-DPTDR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-LFUVE.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-CDC06.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4CRD6.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-RO1GN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-4LQ96.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libpango-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-9HKT1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libgomp-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libpangoft2-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-8RBIL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-QEJVQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\librsvg-2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libgdk_pixbuf-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\uninstall\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-FE0K6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-R67ES.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\zlib1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libgcc_s_dw2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-IRD9M.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\uninstall\is-A5OG2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libpangocairo-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-QDATH.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libgdk-win32-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libgobject-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libtiff-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-BCL55.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-IHV98.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-EHQOC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-GEGLG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4CRD6.tmp\_isetup\_RegDLL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-F43L8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libjpeg-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libgmodule-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\liblzma-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-DSDH3.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-NQ9HL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libpixman-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libintl-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\libgraphite2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Jenny Video Converter\is-UQ9I6.tmpJump to dropped file
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_1-5686
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_5-18234
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_5-18598
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe TID: 7020Thread sleep count: 122 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe TID: 7020Thread sleep time: -244000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe TID: 4492Thread sleep count: 82 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe TID: 4492Thread sleep time: -4920000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe TID: 7020Thread sleep count: 9727 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe TID: 7020Thread sleep time: -19454000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00452A4C FindFirstFileA,GetLastError,2_2_00452A4C
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004751F8 FindFirstFileA,FindNextFileA,FindClose,2_2_004751F8
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00464048 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_00464048
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004644C4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_004644C4
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00462ABC FindFirstFileA,FindNextFileA,FindClose,2_2_00462ABC
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00497A74 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,2_2_00497A74
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: 1_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,1_2_00409B30
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeThread delayed: delay time: 60000Jump to behavior
        Source: jennyvideoconverter.exe, 00000005.00000002.3721708181.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, jennyvideoconverter.exe, 00000005.00000002.3719599246.0000000000888000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: jennyvideoconverter.exe, 00000005.00000000.2489670300.0000000000401000.00000080.00000001.01000000.00000009.sdmp, jennyvideoconverter.exe.2.dr, ET Ammeter Side 10.7.46.exe.5.dr, is-6031D.tmp.2.drBinary or memory string: uFKqeMU
        Source: jennyvideoconverter.exe, 00000005.00000002.3721708181.00000000033A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWi
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeAPI call chain: ExitProcess graph end nodegraph_1-6726
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeAPI call chain: ExitProcess graph end nodegraph_5-18599
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeAPI call chain: ExitProcess graph end nodegraph_5-19635
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpProcess information queried: ProcessInformationJump to behavior

        Anti Debugging

        barindex
        Found API chain indicative of debugger detection
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_5-18128
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02D000FE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,5_2_02D000FE
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02D000FE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,5_2_02D000FE
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_004502AC GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_004502AC
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02CE648B RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,5_2_02CE648B
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02CF9468 SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_02CF9468
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00478420 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,2_2_00478420
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0042E0AC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,2_2_0042E0AC
        Source: C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exeCode function: 5_2_02CEF78E cpuid 5_2_02CEF78E
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: GetLocaleInfoA,1_2_004051FC
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: GetLocaleInfoA,1_2_00405248
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: GetLocaleInfoA,2_2_00408570
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: GetLocaleInfoA,2_2_004085BC
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_0045892C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,2_2_0045892C
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: 1_2_004026C4 GetSystemTime,1_2_004026C4
        Source: C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmpCode function: 2_2_00455588 GetUserNameA,2_2_00455588
        Source: C:\Users\user\Desktop\Ui6sm6N5JG.exeCode function: 1_2_00405CE4 GetVersionExA,1_2_00405CE4

        Stealing of Sensitive Information

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000005.00000002.3720875563.000000000288D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: jennyvideoconverter.exe PID: 3508, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000005.00000002.3720875563.000000000288D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: jennyvideoconverter.exe PID: 3508, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
        Native API        		1
        DLL Side-Loading        		1
        Exploitation for Privilege Escalation        		1
        Deobfuscate/Decode Files or Information        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		2
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts2
        Service Execution        		4
        Windows Service        		1
        DLL Side-Loading        		2
        Obfuscated Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media2
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAt1
        Bootkit        		1
        Access Token Manipulation        		21
        Software Packing        		Security Account Manager2
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook4
        Windows Service        		1
        Timestomp        		NTDS35
        System Information Discovery        		Distributed Component Object ModelInput Capture112
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
        Process Injection        		1
        DLL Side-Loading        		LSA Secrets141
        Security Software Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Masquerading        		Cached Domain Credentials1
        Process Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items121
        Virtualization/Sandbox Evasion        		DCSync121
        Virtualization/Sandbox Evasion        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation        		Proc Filesystem11
        Application Window Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
        Process Injection        		/etc/passwd and /etc/shadow3
        System Owner/User Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Bootkit        		Network Sniffing1
        Remote System Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
        System Network Configuration Discovery        		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Ui6sm6N5JG.exe16%ReversingLabsWin32.Trojan.Munp
        Ui6sm6N5JG.exe100%AviraHEUR/AGEN.1332570

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe100%AviraHEUR/AGEN.1329998
        C:\ProgramData\ET Ammeter Side 10.7.46\ET Ammeter Side 10.7.46.exe100%AviraHEUR/AGEN.1329998
        C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe100%Joe Sandbox ML
        C:\ProgramData\ET Ammeter Side 10.7.46\ET Ammeter Side 10.7.46.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Jenny Video Converter\is-4LQ96.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-8RBIL.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-9HKT1.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-AVIN4.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-B1CI2.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-BCL55.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-C1NKQ.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-CDC06.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-DPTDR.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-DSDH3.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-EHQOC.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-F43L8.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-FE0K6.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-GEGLG.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-IHV98.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-IRD9M.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-LFUVE.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-MQ62A.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-NQ9HL.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-P5UA0.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-QDATH.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-QEJVQ.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-R67ES.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-RO1GN.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-S75UE.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-S9QR6.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\is-UQ9I6.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libgcc_s_dw2-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libgdk-win32-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libgdk_pixbuf-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libgdkmm-2.4-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libglibmm-2.4-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libgmodule-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libgobject-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libgomp-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libgraphite2.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libharfbuzz-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libintl-8.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libjpeg-8.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\liblcms2-2.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\liblzma-5.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libpango-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libpangocairo-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libpangoft2-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libpangomm-1.4-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libpangowin32-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libpcre-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libpixman-1-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libpng16-16.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\librsvg-2-2.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libsigc-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libtiff-5.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\libwinpthread-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Jenny Video Converter\zlib1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-4CRD6.tmp\_isetup\_RegDLL.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-4CRD6.tmp\_isetup\_iscrypt.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-4CRD6.tmp\_isetup\_setup64.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-4CRD6.tmp\_isetup\_shfoldr.dll0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.innosetup.com/0%URL Reputationsafe
        http://www.remobjects.com/psU0%URL Reputationsafe
        http://www.remobjects.com/ps0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bfliimi.com
        		185.208.158.248
        		truetrue
          		unknown
          18.31.95.13.in-addr.arpa
          		unknown
          		unknownfalse
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            bfliimi.comtrue
              		unknown
              http://bfliimi.com/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3ftrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.innosetup.com/Ui6sm6N5JG.tmp, Ui6sm6N5JG.tmp, 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Ui6sm6N5JG.tmp.1.dr, is-A5OG2.tmp.2.drfalse
                • URL Reputation: safe
                		unknown
                http://tukaani.org/is-AVIN4.tmp.2.drfalse
                  		unknown
                  http://www.remobjects.com/psUUi6sm6N5JG.exe, 00000001.00000003.2459642338.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.exe, 00000001.00000003.2459481267.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Ui6sm6N5JG.tmp.1.dr, is-A5OG2.tmp.2.drfalse
                  • URL Reputation: safe
                  		unknown
                  http://tukaani.org/xz/is-AVIN4.tmp.2.drfalse
                    		unknown
                    http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ejennyvideoconverter.exe, 00000005.00000002.3719599246.000000000095F000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://mingw-w64.sourceforge.net/Xis-B1CI2.tmp.2.drfalse
                        		unknown
                        http://185.208.158.248/jennyvideoconverter.exe, 00000005.00000002.3719599246.000000000096B000.00000004.00000020.00020000.00000000.sdmp, jennyvideoconverter.exe, 00000005.00000002.3719599246.0000000000938000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82djennyvideoconverter.exe, 00000005.00000002.3719599246.000000000095F000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78jennyvideoconverter.exe, 00000005.00000002.3722353028.0000000003535000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.remobjects.com/psUi6sm6N5JG.exe, 00000001.00000003.2459642338.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.exe, 00000001.00000003.2459481267.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, Ui6sm6N5JG.tmp, 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Ui6sm6N5JG.tmp.1.dr, is-A5OG2.tmp.2.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://fsf.org/Ui6sm6N5JG.exe, 00000001.00000003.2459061784.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.exe, 00000001.00000002.3719321321.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000003.2461601524.0000000002130000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000002.3720088625.0000000002120000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000002.3719353561.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000003.2461415567.0000000003110000.00000004.00001000.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.208.1jennyvideoconverter.exe, 00000005.00000002.3719599246.000000000096B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.gnu.org/licenses/Ui6sm6N5JG.exe, 00000001.00000003.2459061784.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.exe, 00000001.00000002.3719321321.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000003.2461601524.0000000002130000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000002.3720088625.0000000002120000.00000004.00001000.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000002.3719353561.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, Ui6sm6N5JG.tmp, 00000002.00000003.2461415567.0000000003110000.00000004.00001000.00020000.00000000.sdmp, is-S75UE.tmp.2.drfalse
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    185.208.158.248
                                    		bfliimi.comSwitzerland
                                    		34888SIMPLECARRER2ITtrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1527901
                                    Start date and time:2024-10-07 11:20:15 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 14s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:7
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:Ui6sm6N5JG.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:4eb0ec18b14f303b5de820f0a82c747b.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@5/69@2/1
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 91%
                                    • Number of executed functions: 166
                                    • Number of non-executed functions: 258
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: Ui6sm6N5JG.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    05:22:28API Interceptor420336x Sleep call for process: jennyvideoconverter.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    185.208.158.248ITJ8wVQL5s.exeGet hashmaliciousSocks5SystemzBrowse
                                      AyiNxJ98mL.exeGet hashmaliciousSocks5SystemzBrowse
                                        0IQmaTXO62.exeGet hashmaliciousSocks5SystemzBrowse
                                          2d3on76vhf.exeGet hashmaliciousSocks5SystemzBrowse
                                            Dw0MqzrLWq.exeGet hashmaliciousSocks5SystemzBrowse
                                              noode.exeGet hashmaliciousSocks5SystemzBrowse
                                                eCh9R4T214.exeGet hashmaliciousSocks5SystemzBrowse
                                                  noode.exeGet hashmaliciousSocks5SystemzBrowse
                                                    file.exeGet hashmaliciousRDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                                      Xzm9fAfKhB.exeGet hashmaliciousSocks5SystemzBrowse

                                                        Domains

                                                        No context

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        SIMPLECARRER2ITITJ8wVQL5s.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.208.158.248
                                                        SQE6u2kmJL.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.196.8.214
                                                        sl9B1ty1iL.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.196.8.214
                                                        okkWFXQP0G.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.196.8.214
                                                        xW98tuRe0i.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.196.8.214
                                                        AyiNxJ98mL.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.208.158.248
                                                        pTQN2MIbjQ.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.196.8.214
                                                        0IQmaTXO62.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.208.158.248
                                                        2d3on76vhf.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.208.158.248
                                                        Dw0MqzrLWq.exeGet hashmaliciousSocks5SystemzBrowse
                                                        • 185.208.158.248

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        C:\Users\user\AppData\Local\Jenny Video Converter\is-4LQ96.tmpITJ8wVQL5s.exeGet hashmaliciousSocks5SystemzBrowse
                                                          SQE6u2kmJL.exeGet hashmaliciousSocks5SystemzBrowse
                                                            sl9B1ty1iL.exeGet hashmaliciousSocks5SystemzBrowse
                                                              okkWFXQP0G.exeGet hashmaliciousSocks5SystemzBrowse
                                                                xW98tuRe0i.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  AyiNxJ98mL.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    pTQN2MIbjQ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      0IQmaTXO62.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        2d3on76vhf.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          Dw0MqzrLWq.exeGet hashmaliciousSocks5SystemzBrowse

                                                                            Created / dropped Files

                                                                            C:\ProgramData\ET Ammeter Side 10.7.46\ET Ammeter Side 10.7.46.exe

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):3532288
                                                                            Entropy (8bit):6.823700285250343
                                                                            Encrypted:false
                                                                            SSDEEP:98304:GYM3RNgO0uIXlN1qw7BuptzATsdI7+9CL28guA:GdhNgZfTMK2
                                                                            MD5:DB1B847C721315246794C6FF66CF49AD
                                                                            SHA1:72DAFA74BFF9CAFE8309B04FCCA706154834FBFB
                                                                            SHA-256:36F3E6FDD68E9E229BC5891F3D5F4F538C594BB638F9A200DC227B941ADD3729
                                                                            SHA-512:761276F62184940372F40A51C7AE64C1455B42FE4828C73BC866D37699CF5C12A8C60BDDCCF9919CCC01823FEB5E3232F527C9574F692E6CB2CAD7290749E3FC
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            Reputation:low
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....b.L.................."..x.......z"......."...@..........................`6......q6.....................................D.".......#...............................................................................".d............................text.....".......".................`....rdata...(...."..*....".............@..@_cde_4..8.....#..0....".............@....rsrc.........#.......#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\et107it46.dat

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):8
                                                                            Entropy (8bit):2.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:5vtn:dtn
                                                                            MD5:2190A4D9F49323EEC9442B852003A51E
                                                                            SHA1:4FCAFB58ADDE2A644975F27473FE2C6CF7726D12
                                                                            SHA-256:D24011ECAD78B5A303E9AAB2F877F6519D23641A01B82EBB6B4169CD79338A82
                                                                            SHA-512:C1CC7197BA0244EB9228150526A387DA1C537E50F55B34DF0F0BEBEFC48E1D066B8F1DD9B3224F58BBA0F6B8EF71702E986F4A3F0D1BC4CA65CE44C9C971216B
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:n..g....

                                                                            C:\ProgramData\et107rc46.dat

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):4
                                                                            Entropy (8bit):0.8112781244591328
                                                                            Encrypted:false
                                                                            SSDEEP:3:C:C
                                                                            MD5:5E01938ACB3E0DF0543697FC023BFFB1
                                                                            SHA1:3AA850148C2EE2335F0993B5D13A6686B0128496
                                                                            SHA-256:412184DDEF9DC026081346B3B2F525C3ADE2F1D14C48A04950D197B6B456613E
                                                                            SHA-512:C6E2A9FA65A70F4055AE39CD2D887A2E287201D0A9BBE97CA520140807EA171C96838C25677B3E95D913EA8CFA87A8F2A2BB34ED3E7CFD7A004A812C6EEC71E8
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview:c...

                                                                            C:\ProgramData\et107resa.dat

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):128
                                                                            Entropy (8bit):2.9545817380615236
                                                                            Encrypted:false
                                                                            SSDEEP:3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
                                                                            MD5:98DDA7FC0B3E548B68DE836D333D1539
                                                                            SHA1:D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
                                                                            SHA-256:870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
                                                                            SHA-512:E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview:30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

                                                                            C:\ProgramData\et107resb.dat

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):128
                                                                            Entropy (8bit):1.7095628900165245
                                                                            Encrypted:false
                                                                            SSDEEP:3:LDXdQSWBdMUE/:LLdQSGd
                                                                            MD5:4FFFD4D2A32CBF8FB78D521B4CC06680
                                                                            SHA1:3FA6EFA82F738740179A9388D8046619C7EBDF54
                                                                            SHA-256:EC52F73A17E6AFCF78F3FD8DFC7177024FEB52F5AC2B602886788E4348D5FB68
                                                                            SHA-512:130A074E6AD38EEE2FB088BED2FCB939BF316B0FCBB4F5455AB49C2685BEEDCB5011107A22A153E56BF5E54A45CA4801C56936E71899C99BA9A4F694A1D4CC6D
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview:dad6f9fa0c8327344d1aa24f183c3767................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-4LQ96.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):337171
                                                                            Entropy (8bit):6.46334441651647
                                                                            Encrypted:false
                                                                            SSDEEP:3072:TQkk4LTVKDKajZjp8aEEHeEkls4q5dRIFSqObK/q+P82JSccgSGDGxQXKHlTmn93:3kwpKlf1QNSqOb6q+PRJb6GDGmKH893
                                                                            MD5:51D62C9C7D56F2EF2F0F628B8FC249AD
                                                                            SHA1:33602785DE6D273F0CE7CA65FE8375E91EF1C0BC
                                                                            SHA-256:FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
                                                                            SHA-512:03FB13AE5D73B4BABA540E3358335296FB28AA14318C27554B19BB1E90FAD05EA2DD66B3DB216EA7EED2A733FE745E66DB2E638F5ED3B0206F5BE377F931DF5B
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Joe Sandbox View:
                                                                            • Filename: ITJ8wVQL5s.exe, Detection: malicious, Browse
                                                                            • Filename: SQE6u2kmJL.exe, Detection: malicious, Browse
                                                                            • Filename: sl9B1ty1iL.exe, Detection: malicious, Browse
                                                                            • Filename: okkWFXQP0G.exe, Detection: malicious, Browse
                                                                            • Filename: xW98tuRe0i.exe, Detection: malicious, Browse
                                                                            • Filename: AyiNxJ98mL.exe, Detection: malicious, Browse
                                                                            • Filename: pTQN2MIbjQ.exe, Detection: malicious, Browse
                                                                            • Filename: 0IQmaTXO62.exe, Detection: malicious, Browse
                                                                            • Filename: 2d3on76vhf.exe, Detection: malicious, Browse
                                                                            • Filename: Dw0MqzrLWq.exe, Detection: malicious, Browse
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#......................... .....c.........................`................ ..........................8........... .......................0.../......................................................`............................text...............................`.P`.data...`.... ......................@.0..rdata..4....0......................@.`@/4......D...........................@.0@.bss..................................`..edata...8.......:...p..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.../...0...0..................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-6031D.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):3532288
                                                                            Entropy (8bit):6.823700076364256
                                                                            Encrypted:false
                                                                            SSDEEP:98304:TYM3RNgO0uIXlN1qw7BuptzATsdI7+9CL28guA:TdhNgZfTMK2
                                                                            MD5:34B670F107ED67C074C48D34EAAF3FE0
                                                                            SHA1:93E3F9B72FED5619FDFFAFF77CE4848C6595C6DC
                                                                            SHA-256:F8C18DC82DA9C47C9CA2030335B14AE04562AB0983C34080D86EB71BCEE2259D
                                                                            SHA-512:88EC30364F170B629651F5E6AD915758E2A8788C94AD4957BF8AFF5DA82A3D6A1438CE827FC936BB59DD20BB3E5A80E792D1BACE283696FCC89B10FC0F9BA2BE
                                                                            Malicious:false
                                                                            Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....b.L.................."..x.......z"......."...@..........................`6......q6.....................................D.".......#...............................................................................".d............................text.....".......".................`....rdata...(...."..*....".............@..@_cde_4..8.....#..0....".............@....rsrc.........#.......#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-8RBIL.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):26562
                                                                            Entropy (8bit):5.606958768500933
                                                                            Encrypted:false
                                                                            SSDEEP:768:EaiL7abI5n6MnFUKs7qfSWWmJZLfw2tnPrPkV:4XabI5n5niKsOwmnU
                                                                            MD5:E9C7068B3A10C09A283259AA1B5D86F2
                                                                            SHA1:3FFE48B88F707AA0C947382FBF82BEE6EF7ABB78
                                                                            SHA-256:06294F19CA2F7460C546D4D0D7B290B238C4959223B63137BB6A1E2255EDA74F
                                                                            SHA-512:AC4F521E0F32DBF104EF98441EA3403F0B7D1B9D364BA8A0C78DAA056570649A2B45D3B41F0B16A1A73A09BAF2870D23BD843E6F7E9149B697F7E6B7222E0B81
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7G7.Z..V......#.....(...V...............@.....m.......................................... .........................O...............p.......................l.......................................................@............................text....&.......(..................`.P`.data...0....@.......,..............@.0..rdata.......P......................@.0@/4...........`.......6..............@.0@.bss.........p........................`..edata..O............B..............@.0@.idata...............D..............@.0..CRT....,............N..............@.0..tls.... ............P..............@.0..rsrc...p............R..............@.0..reloc..l............V..............@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-9HKT1.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):268404
                                                                            Entropy (8bit):6.265024248848175
                                                                            Encrypted:false
                                                                            SSDEEP:3072:yL8lD0bVAYhILCN0z+tUbO01CDXQ6yw+RseNYWFZvc/NNap:1Uy+tUbO01CDXQ6ywcYWFZvCNNap
                                                                            MD5:C4C23388109D8A9CC2B87D984A1F09B8
                                                                            SHA1:74C9D9F5588AFE721D2A231F27B5415B4DEF8BA6
                                                                            SHA-256:11074A6FB8F9F137401025544121F4C3FB69AC46CC412469CA377D681D454DB3
                                                                            SHA-512:060F175A87FBDF3824BEED321D59A4E14BE131C80B7C41AFF260291E69A054F0671CC67E2DDA3BE8A4D953C489BC8CDE561332AA0F3D82EF68D97AFCF115F6A3
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....V...................p....4j.......................................... ......................`.......`..xk..............................D....................................................k...............................text....T.......V..................`.P`.data... ....p.......Z..............@.0..rdata..X ......."...\..............@.`@/4......0............~..............@.0@.bss....H....P........................`..edata.......`......................@.0@.idata..xk...`...l..................@.0..CRT....,............x..............@.0..tls.... ............z..............@.0..reloc..D............|..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-AVIN4.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):171848
                                                                            Entropy (8bit):6.579154579239999
                                                                            Encrypted:false
                                                                            SSDEEP:3072:LrhG5+L/AcY680k2SxVqetJP5Im+A9mNoWqlM5ywwoS:LV6+LA0G0enP5PFYOWi6w1
                                                                            MD5:236A679AB1B16E66625AFBA86A4669EB
                                                                            SHA1:73AE354886AB2609FFA83429E74D8D9F34BD45F2
                                                                            SHA-256:B1EC758B6EDD3E5B771938F1FEBAC23026E6DA2C888321032D404805E2B05500
                                                                            SHA-512:C19FA027E2616AC6B4C18E04959DFE081EF92F49A11260BA69AFE10313862E8FEFF207B9373A491649928B1257CF9B905F24F073D11D71DCD29B0F9ADAC80248
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ......;......#...............................c................................q......... .........................,.......<.......H...........................................................................(................................text...............................`.P`.data... ...........................@.0..rdata..|y.......z..................@.`@/4......HN...@...P... ..............@.0@.bss..................................`..edata..,............p..............@.0@.idata..<............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...H...........................@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-B1CI2.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):65181
                                                                            Entropy (8bit):6.085572761520829
                                                                            Encrypted:false
                                                                            SSDEEP:768:1JrcDWlFkbBRAFqDnlLKgprfElH0hiGoeLXRcW/VB6dkhxLemE5ZHvIim3YWATMk:XrTk3iqzlLKgp6H38B6u0Uim3Y15P
                                                                            MD5:98A49CC8AE2D608C6E377E95833C569B
                                                                            SHA1:BA001D8595AC846D9736A8A7D9161828615C135A
                                                                            SHA-256:213B6ADDAB856FEB85DF1A22A75CDB9C010B2E3656322E1319D0DEF3E406531C
                                                                            SHA-512:C9D756BB127CAC0A43D58F83D01BFE1AF415864F70C373A933110028E8AB0E83612739F2336B28DC44FAABA6371621770B5BCC108DE7424E31378E2543C40EFC
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........[......#...............................d.........................p................ .............................. .......P..P....................`..x............................@.......................!..\............................text...D...........................`.P`.data...D...........................@.0..rdata..l...........................@.0@/4......p/.......0..................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....0....0......................@.0..tls.... ....@......................@.0..rsrc...P....P......................@.0..reloc..x....`......................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-BCL55.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):291245
                                                                            Entropy (8bit):6.234245376773595
                                                                            Encrypted:false
                                                                            SSDEEP:6144:dg6RpdbWJbnZ9zwvNOmdcm0sn+g2eqZq6eadTD8:UJ99zwvNOmdcm0s+g1qZQadTD8
                                                                            MD5:2D8A0BC588118AA2A63EED7BF6DFC8C5
                                                                            SHA1:7FB318DC21768CD62C0614D7AD773CCFB7D6C893
                                                                            SHA-256:707DEE17E943D474FBE24EF5843A9A37E923E149716CAD0E2693A0CC8466F76E
                                                                            SHA-512:A296A8629B1755D349C05687E1B9FAE7ED5DE14F2B05733A7179307706EA6E83F9F9A8729D2B028EDDC7CAF8C8C30D69AD4FEA6EC19C66C945772E7A34F100DE
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........h..@......#.........d....................4i................................<......... ......................p..5.......t...................................................................................<................................text...T...........................`.P`.data...0...........................@.0..rdata...v.......x..................@.`@/4...........@......................@.0@.bss.........`........................`..edata..5....p.......6..............@.0@.idata..t............>..............@.0..CRT....,............F..............@.0..tls.... ............H..............@.0..reloc...............J..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-C1NKQ.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):814068
                                                                            Entropy (8bit):6.5113626552096
                                                                            Encrypted:false
                                                                            SSDEEP:24576:ZEygs0MDl9NALk12XBoO/j+QDr4TARkKtff8WvLCC2:vKMDl9aGO+/TAR5tff8og
                                                                            MD5:5B1EB4B36F189362DEF93BF3E37354CC
                                                                            SHA1:8C0A4992A6180D0256ABF669DFDEE228F03300BA
                                                                            SHA-256:D2D7D9821263F8C126C6D8758FFF0C88F2F86E7E69BFCC28E7EFABC1332EEFD7
                                                                            SHA-512:BF57664A96DC16DAD0BB22F6BE6B7DAE0BB2BA2C6932C8F64AEC953E77DC5CDA48E3E05FB98EFE766969832DBC6D7357F8B8D144BD438E366CE746B3B31E2C96
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wl....i......#..............................Tl.................................`........ ..........................b...`...L.......h...................@...I...................................................j..X............................text..............................`.P`.data...............................@.`..rdata..\...........................@.`@/4.......S...p...T...H..............@.0@.bss..................................`..edata...b.......d..................@.0@.idata...L...`...L..................@.0..CRT....,............L..............@.0..tls.... ............N..............@.0..rsrc....h.......j...P..............@.0..reloc...I...@...J..................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-CDC06.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):248694
                                                                            Entropy (8bit):6.346971642353424
                                                                            Encrypted:false
                                                                            SSDEEP:6144:MUijoruDtud8kVtHvBcEcEJAbNkhJIXM3rhv:Cy8kTHvBcE1kI3rhv
                                                                            MD5:39A15291B9A87AEE42FBC46EC1FE35D6
                                                                            SHA1:AADF88BBB156AD3CB1A2122A3D6DC017A7D577C1
                                                                            SHA-256:7D4546773CFCC26FEC8149F6A6603976834DC06024EEAC749E46B1A08C1D2CF4
                                                                            SHA-512:FF468FD93EFDB22A20590999BC9DD68B7307BD406EB3746C74A3A472033EA665E6E3F778325849DF9B0913FFC7E4700E2BEED4666DA6E713D984E92F9DB5F679
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....x.........................i.......................................... ......................`..u........1...................................................................................................................text...Tw.......x..................`.P`.data................|..............@.`..rdata..t;.......<...~..............@.`@/4.......f.......h..................@.0@.bss.........P........................`..edata..u....`......."..............@.0@.idata...1.......2...>..............@.0..CRT....,............p..............@.0..tls.... ............r..............@.0..reloc...............t..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-DPTDR.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):64724
                                                                            Entropy (8bit):5.910307743399971
                                                                            Encrypted:false
                                                                            SSDEEP:768:U84Oo2LbVtfNsqnYPL7cZ690d+yCG7QiZggD0Spo3YfklbTRPmK0Lz:Uf2LbVtfDGLr2xk4DU3YfkhTRuKW
                                                                            MD5:7AF455ADEA234DEA33B2A65B715BF683
                                                                            SHA1:F9311CB03DCF50657D160D89C66998B9BB1F40BA
                                                                            SHA-256:6850E211D09E850EE2510F6EAB48D16E0458BCE35916B6D2D4EB925670465778
                                                                            SHA-512:B8AC3E2766BB02EC37A61218FAF60D1C533C0552B272AF6B41713C17AB69C3731FA28F3B5D73766C5C59794D5A38CC46836FD93255DF38F7A3ABD219D51BB41A
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....h........................lm.........................P................ .................................."...0..`....................@............................... .......................................................text...dg.......h..................`.P`.data...0............l..............@.0..rdata...............n..............@.@@/4......\............z..............@.0@.bss....,.............................`..edata..............................@.0@.idata...".......$..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...`....0......................@.0..reloc.......@......................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-DSDH3.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):30994
                                                                            Entropy (8bit):5.666281517516177
                                                                            Encrypted:false
                                                                            SSDEEP:768:SrCNSOFBZVDIxxDsIpx0uZjaYNdJSH6J6:SrCyx0maYNdh6
                                                                            MD5:3C033F35FE26BC711C4D68EB7CF0066D
                                                                            SHA1:83F1AED76E6F847F6831A1A1C00FEDC50F909B81
                                                                            SHA-256:9BA147D15C8D72A99BC639AE173CFF2D22574177242A7E6FE2E9BB09CC3D5982
                                                                            SHA-512:7811BE5CCBC27234CE70AB4D6541556612C45FE81D5069BA64448E78953387B1C023AA2A04E5DBF8CAACE7291B8B020BEE2F794FBC190837F213B8D6CB698860
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..8......#.....*...l...............@.....j.......................................... .........................a.......(...............................x...................................................,................................text...8(.......*..................`.P`.data... ....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......6..............@.0@.bss..................................`..edata..a............L..............@.0@.idata..(............`..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..x............l..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-EHQOC.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):235032
                                                                            Entropy (8bit):6.398850087061798
                                                                            Encrypted:false
                                                                            SSDEEP:6144:fWa7MVS9CtXk4wP0filbZ5546Qx/cwx/svQbKDazN1x:3MVTtXlwP0f0rK6QxEYz
                                                                            MD5:E1D0ACD1243F9E59491DC115F4E379A4
                                                                            SHA1:5E9010CFA8D75DEFBDC3FB760EB4229ACF66633B
                                                                            SHA-256:FD574DA66B7CCAE6F4DF31D5E2A2C7F9C5DAE6AE9A8E5E7D2CA2056AB29A8C4F
                                                                            SHA-512:392AA2CF6FBC6DAA6A374FD1F34E114C21234061855413D375383A97951EC5DDDF91FD1C431950045105746898E77C5C5B4D217DF0031521C69403EA6ADE5C27
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........Y......#..............................tp.......................................... .........................$...............................................................................................<............................text...............................`.P`.data...L...........................@.0..rdata...1.......2..................@.`@/4.......m... ...n..................@.0@.bss..................................`..edata..$............`..............@.0@.idata...............j..............@.0..CRT....,............t..............@.0..tls.... ............v..............@.0..reloc...............x..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-F43L8.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):165739
                                                                            Entropy (8bit):6.062324507479428
                                                                            Encrypted:false
                                                                            SSDEEP:3072:wqozCom32MhGf+cPlDQ6jGQGExqLsGXnru+5FMCp:wqxo4LGlDQ6yQGsqLsGXruSFMCp
                                                                            MD5:E2F18B37BC3D02CDE2E5C15D93E38418
                                                                            SHA1:1A6C58F4A50269D3DB8C86D94B508A1919841279
                                                                            SHA-256:7E555192331655B04D18F40E8F19805670D56FC645B9C269B9F10BF45A320C97
                                                                            SHA-512:61AB4F3475B66B04399111B106C3F0A744DC226A59EB03C134AE9216A9EA0C7F9B3B211148B669C32BAFB05851CC6C18BD69EA431DBC2FE25FE470CB4786FD17
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........0.........#.........,.....................n................................&......... .........................y....0...D..................................................................................x7...............................text...............................`.P`.data... ...........................@.0..rdata..............................@.`@/4......Dg.......h..................@.0@.bss....(....p........................`..edata..y............8..............@.0@.idata...D...0...F..................@.0..CRT....,............ ..............@.0..tls.... ............"..............@.0..reloc...............$..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-FE0K6.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):706136
                                                                            Entropy (8bit):6.517672165992715
                                                                            Encrypted:false
                                                                            SSDEEP:12288:8TCY9iAO+e+693qCfG0l2KDIq4N1i9aqi+:8piAO+e+69ne02KDINN1MaZ+
                                                                            MD5:3A8A13F0215CDA541EC58F7C80ED4782
                                                                            SHA1:085C3D5F62227319446DD61082919F6BE1EFD162
                                                                            SHA-256:A397C9C2B5CAC7D08A2CA720FED9F99ECE72078114FFC86DF5DBC2B53D5FA1AD
                                                                            SHA-512:4731D7ABB8DE1B77CB8D3F63E95067CCD7FAFED1FEB508032CB41EE9DB3175C69E5D244EEE8370DE018140D7B1C863A4E7AFBBE58183294A0E7CD98F2A8A0EAD
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.......Q......#..............................Pe......................... ................ .........................A.......L............................... ,......................................................,............................text...8...........................`.P`.data...............................@.P..rdata..............................@.`@/4......\............x..............@.0@.bss..................................`..edata..A........ ...^..............@.0@.idata..L............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc.. ,..........................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-GEGLG.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):441975
                                                                            Entropy (8bit):6.372283713065844
                                                                            Encrypted:false
                                                                            SSDEEP:6144:KOjlUsee63NlC1NiiA0XcQj0S5XTJAmLYWB6EYWOsIEvCmiu:DRGNq0wdAmcWBGsIEviu
                                                                            MD5:6CD78C8ADD1CFC7CBB85E2B971FCC764
                                                                            SHA1:5BA22C943F0337D2A408B7E2569E7BF53FF51CC5
                                                                            SHA-256:C75587D54630B84DD1CA37514A77D9D03FCE622AEA89B6818AE8A4164F9F9C73
                                                                            SHA-512:EAFDF6E38F63E6C29811D7D05821824BDAAC45F8B681F5522610EEBB87F44E9CA50CE690A6A3AA93306D6A96C751B2210F96C5586E00E323F26F0230C0B85301
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....~.........................a......................... ......A3........ ..........................'......................................|....................................................................................text...4|.......~..................`.P`.data...............................@.`..rdata..............................@.`@/4..................................@.0@.bss..................................`..edata...'.......(...R..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..|...........................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-IHV98.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):98626
                                                                            Entropy (8bit):6.478068795827396
                                                                            Encrypted:false
                                                                            SSDEEP:1536:HDuZqv5WNPuWOD+QZ7OWN4oOlatKZ2XGnToIfQIOEIOGxpdo4VoWsj:r9P6WN4wyTBfGqGxpdo4VoB
                                                                            MD5:70CA53E8B46464CCF956D157501D367A
                                                                            SHA1:AE0356FAE59D9C2042270E157EA0D311A831C86A
                                                                            SHA-256:4A7AD2198BAACC14EA2FFD803F560F20AAD59C3688A1F8AF2C8375A0D6CC9CFE
                                                                            SHA-512:CB1D52778FE95D7593D1FDBE8A1125CD19134973B65E45F1E7D21A6149A058BA2236F4BA90C1CE01B1B0AFAD4084468D1F399E98C1F0D6F234CBA023FCC7B4AE
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....='=.x..=......#.........t.....................c.......................................... .................................8...............................0...................................................0................................text...t...........................`.P`.data... ...........................@.0..rdata...M.......N..................@.`@/4......t&...P...(...4..............@.0@.bss..................................`..edata...............\..............@.0@.idata..8............f..............@.0..CRT....,............n..............@.0..tls.... ............p..............@.0..reloc..0............r..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-IRD9M.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):397808
                                                                            Entropy (8bit):6.396146399966879
                                                                            Encrypted:false
                                                                            SSDEEP:6144:q6WhfTNgMVVPwCxpk76CcIAg8TQfn9l1bBE3A97vupNBXH:q60TvSGpk7eIAg489l1S3A97vkVH
                                                                            MD5:E0747D2E573E0A05A7421C5D9B9D63CC
                                                                            SHA1:C45FC383F9400F8BBE0CA8E6A7693AA0831C1DA7
                                                                            SHA-256:25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
                                                                            SHA-512:201EE6B2FD8DCD2CC873726D56FD84132A4D8A7434B581ABD35096A5DE377009EC8BC9FEA2CC223317BBD0D971FB1E61610509E90B76544BDFF069E0D6929AED
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\4......n......#......................... ....Dk.......................................... ..........................5...0...............................`..T............................P.......................2...............................text...D...........................`.P`.data...X1... ...2..................@.`..rdata..x....`.......F..............@.`@/4..................................@.0@.bss....`.............................`..edata...5.......6..................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..T....`......................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-LFUVE.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):509934
                                                                            Entropy (8bit):6.031080686301204
                                                                            Encrypted:false
                                                                            SSDEEP:6144:wx/Eqtn5oeHkJstujMWYVgUr/MSK/zwazshLKl11PC5qLJy1Pkfsm:M/NDXEJIPVgUrgbzslW11UqLJokfsm
                                                                            MD5:02E6C6AB886700E6F184EEE43157C066
                                                                            SHA1:E796B7F7762BE9B90948EB80D0138C4598700ED9
                                                                            SHA-256:EA53A198AA646BED0B39B40B415602F8C6DC324C23E1B9FBDCF7B416C2C2947D
                                                                            SHA-512:E72BC0A2E9C20265F1471C30A055617CA34DA304D7932E846D5D6999A8EBCC0C3691FC022733EAEB74A25C3A6D3F347D3335B902F170220CFE1DE0340942B596
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........P......#...............................k......................... ......CY........ .....................................................................................................................|...,............................text...T...........................`.P`.data...............................@.0..rdata..XN.......P..................@.`@/4.......x...0...z..................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-MQ62A.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):181527
                                                                            Entropy (8bit):6.362061002967905
                                                                            Encrypted:false
                                                                            SSDEEP:3072:jJoxZgqj/2VkWePT1lempKE7PQrXGx6duqPhyxO+jOfMjHyv:jef/2eH72mprIs6VyfOfMY
                                                                            MD5:0D0D311D1837705B1EAFBC5A85A695BD
                                                                            SHA1:AA7FA3EB181CC5E5B0AA240892156A1646B45184
                                                                            SHA-256:AFB9779C4D24D0CE660272533B70D2B56704F8C39F63DAB0592C203D8AE74673
                                                                            SHA-512:14BC65823B77E192AACF613B65309D5A555A865AC00D2AB422FD209BD4E6C106ECCE12F868692C3EEA6DCCB3FE4AD6323984AEF60F69DA08888ABCD98D76327D
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..............#..............................Te......................... ................ .........................b........#......................................................................................H............................text...$...........................`.P`.data...4...........................@.0..rdata...J.......L..................@.`@/4.......I... ...J..................@.0@.bss.........p........................`..edata..b............@..............@.0@.idata...#.......$...V..............@.0..CRT....,............z..............@.0..tls.... ............|..............@.0..rsrc................~..............@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-NQ9HL.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):248781
                                                                            Entropy (8bit):6.474165596279956
                                                                            Encrypted:false
                                                                            SSDEEP:3072:oW4uzRci3pB4FvOhUHN1Dmfk46sR6/9+B7Bt9Z42fTSCi3QUqbQrPeL8rFErGfju:n4uB4FvHNElE9+B7Bj6GTSCiZPNVS
                                                                            MD5:C4002F9E4234DFB5DBE64C8D2C9C2F09
                                                                            SHA1:5C1DCCE276FDF06E6AA1F6AD4D4B49743961D62D
                                                                            SHA-256:F5BC251E51206592B56C3BD1BC4C030E2A98240684263FA766403EA687B1F664
                                                                            SHA-512:4F7BC8A431C07181A3D779F229E721958043129BBAEC65A538F2DD6A2CAB8B4D6165B4149B1DF56B31EB062614363A377E1982FD2F142E49DA524C1C96FC862E
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........]......#...............................h......................... .......!........ .........................A.......\.......................................................................................\............................text..............................`.P`.data...T...........................@.0..rdata..P[.......\..................@.`@/4.......v...0...v..................@.0@.bss..................................`..edata..A........ ..................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-P5UA0.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):463112
                                                                            Entropy (8bit):6.363613724826455
                                                                            Encrypted:false
                                                                            SSDEEP:12288:qyoSS9Gy176UixTUTfeKEVfA/K4FW0BGXOjY:pS93176nxTUTEA/Kuk
                                                                            MD5:D9D9C79E35945FCA3F9D9A49378226E7
                                                                            SHA1:4544A47D5B9765E5717273AAFF62724DF643F8F6
                                                                            SHA-256:18CBD64E56CE58CE7D1F67653752F711B30AD8C4A2DC4B0DE88273785C937246
                                                                            SHA-512:B0A9CEFAC7B4140CC07E880A336DCBAB8B6805E267F4F8D9423111B95E4D13544D8952D75AB51ADE9F6DACE93A5425E6D41F42C2AA88D3A3C233E340EE785EB9
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#.........R....................lf.......................................... ......................@..w.......................................<....................................................................................text...$...........................`.P`.data... ...........................@.0..rdata...J.......L..................@.`@/4..................................@.0@.bss....h....0........................`..edata..w....@......................@.0@.idata..............................@.0..CRT....,............4..............@.0..tls.... ............6..............@.0..reloc..<............8..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-QDATH.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):259014
                                                                            Entropy (8bit):6.075222655669795
                                                                            Encrypted:false
                                                                            SSDEEP:3072:O4WGkOMuCsxvlBUlthMP3SyyqX3/yfGG7ca/RM3yH8Tw/yr+Jg8jGCzftns9/1tA:tWGkOME304A7ca/RNyN8jGCzftngvA
                                                                            MD5:B4FDE05A19346072C713BE2926AF8961
                                                                            SHA1:102562DE2240042B654C464F1F22290676CB6E0F
                                                                            SHA-256:513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
                                                                            SHA-512:9F3AEE3EBF04837CEEF08938795DE0A044BA6602AACB98DA0E038A163119C695D9CC2CA413BD709196BFD3C800112ABABC3AF9E2E9A0C77D88BD4A1C88C2ED27
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..............................xe.........................@.......{........ .........................+;......L.......0.................... ..8...................................................h................................text...............................`.P`.data...$...........................@.0..rdata.../.......0..................@.`@/4.......l.......n..................@.0@.bss....,.............................`..edata..+;.......<...d..............@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...0...........................@.0..reloc..8.... ......................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-QEJVQ.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):121524
                                                                            Entropy (8bit):6.347995296737745
                                                                            Encrypted:false
                                                                            SSDEEP:1536:9v6EzEhAArrzEYz8V2clMs4v6C7382gYbByUDM6H0ZulNDnt8zXxgf:9T8AArrzDylMs5C738FYbpH0Ent8zBgf
                                                                            MD5:6CE25FB0302F133CC244889C360A6541
                                                                            SHA1:352892DD270135AF5A79322C3B08F46298B6E79C
                                                                            SHA-256:E06C828E14262EBBE147FC172332D0054502B295B0236D88AB0DB43326A589F3
                                                                            SHA-512:3605075A7C077718A02E278D686DAEF2E8D17B160A5FEDA8D2B6E22AABFFE0105CC72279ADD9784AC15139171C7D57DBA2E084A0BA22A6118FDBF75699E53F63
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8r>....7......#.....^...................p.....n.........................0................ ........................._.................................... .......................................................................................text...X].......^..................`.P`.data... ....p.......b..............@.0..rdata........... ...d..............@.`@/4...............0..................@.0@.bss....(.............................`..edata.._...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc....... ......................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-R67ES.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):448557
                                                                            Entropy (8bit):6.353356595345232
                                                                            Encrypted:false
                                                                            SSDEEP:12288:TC5WwqtP7JRSIOKxQg2FgggggggTggZgoggggggggggggggggggnggDggD7d:TC5WltP7JRSIOKxmeR
                                                                            MD5:908111F583B7019D2ED3492435E5092D
                                                                            SHA1:8177C5E3B4D5CC1C65108E095D07E0389164DA76
                                                                            SHA-256:E8E2467121978653F9B6C69D7637D8BE1D0AC6A4028B672A9B937021AD47603C
                                                                            SHA-512:FD35BACAD03CFA8CD1C0FFF2DAC117B07F516E1E37C10352ED67E645F96E31AC499350A2F21702EB51BE83C05CF147D0876DAC34376EEDE676F3C7D4E4A329CB
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....,...................@.....i......................... ......._........ .........................[.......X...............................(&...................................................... ............................text...d*.......,..................`.P`.data........@.......0..............@.`..rdata......P.......2..............@.`@/4..................................@.0@.bss....|.............................`..edata..[............j..............@.0@.idata..X...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..(&.......(..................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-RO1GN.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):92019
                                                                            Entropy (8bit):5.974787373427489
                                                                            Encrypted:false
                                                                            SSDEEP:1536:+j80nVGEhJyBnvQXUDkUPoWCSgZosDGMsZLXWU9+HN4yoRtJJ:C8IgtyUDkBWIZosDGDBXWPHN4yoRtJJ
                                                                            MD5:CC7DAD980DD04E0387795741D809CBF7
                                                                            SHA1:A49178A17B1C72AD71558606647F5011E0AA444B
                                                                            SHA-256:0BAE9700E29E4E7C532996ADF6CD9ADE818F8287C455E16CF2998BB0D02C054B
                                                                            SHA-512:E4441D222D7859169269CA37E491C37DAA6B3CDD5F4A05A0A246F21FA886F5476092E64DFF88890396EF846B9E8D2880E33F1F594CD61F09023B3EF4CD573EA3
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(....0..7......#.........,.....................m................................B......... ...................... .......0...*...........................................................p......................t5...............................text..............................`.P`.data... ...........................@.0..rdata..............................@.`@/4.......(.......*..................@.0@.bss..................................`..edata....... ......................@.0@.idata...*...0...,..................@.0..CRT....,....`....... ..............@.0..tls.... ....p......."..............@.0..rsrc................$..............@.0..reloc...............(..............@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-S75UE.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):140752
                                                                            Entropy (8bit):6.52778891175594
                                                                            Encrypted:false
                                                                            SSDEEP:3072:Uw0ucwd0gZ36KErK+i+35KwO/hVQN6ulXazERIdF+aP2je8g5og96:ZlcWpErK+i9zEQF+aPKZo6
                                                                            MD5:A8F646EB087F06F5AEBC2539EB14C14D
                                                                            SHA1:4B1FBAB6C3022C3790BC0BD0DD2D9F3BA8FF1759
                                                                            SHA-256:A446F09626CE7CE63781F5864FDD6064C25D9A867A0A1A07DCECB4D5044B1C2B
                                                                            SHA-512:93BB40C5FE93EF97FE3BC82A0A85690C7B434BD0327BB8440D51053005A5E5B855F9FCC1E9C676C43FF50881F860817FF0764C1AD379FC08C4920AA4A42C5DBC
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....T...................p.....a.......................................... ......................0.......@.......p..@.......................T............................`......................8B...............................text....R.......T..................`.P`.data........p.......X..............@.`..rdata...F.......H...\..............@.`@/4......L3.......4..................@.0@.bss....@.............................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...@....p......................@.0..reloc..T...........................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-S9QR6.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):101544
                                                                            Entropy (8bit):6.237382830377451
                                                                            Encrypted:false
                                                                            SSDEEP:1536:nrYjG+7rjCKdiZ4axdj+nrlv3ecaQZ93yQNMRP2Ea5JPTxi0C9A046QET:M9eKdiBxUnfb3yZROEYJPTxib9A5ET
                                                                            MD5:E13FCD8FB16E483E4DE47A036687D904
                                                                            SHA1:A54F56BA6253D4DECAAE3DE8E8AC7607FD5F0AF4
                                                                            SHA-256:0AC1C17271D862899B89B52FAA13FC4848DB88864CAE2BF4DC7FB81C5A9A49BF
                                                                            SHA-512:38596C730B090B19E34183182273146C3F164211644EBC0A698A83651B2753F7D9B1D6EE477D1798BD7219B5977804355E2F57B1C3013BF3D498BF96DEC9D02E
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#.........`....................Hk.................................$........ ......................`..-....p......................................................................................Lt...............................text...............................`.P`.data...L...........................@.0..rdata..............................@.`@/4.......*... ...,..................@.0@.bss.........P........................`..edata..-....`.......*..............@.0@.idata.......p... ...0..............@.0..CRT....,............P..............@.0..tls.... ............R..............@.0..rsrc................T..............@.0..reloc...............X..............@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\is-UQ9I6.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):174543
                                                                            Entropy (8bit):6.3532700320638025
                                                                            Encrypted:false
                                                                            SSDEEP:3072:F4yjzZ0q/RZ1vAjhByeVjxSTi7p2trtfKomZr8jPnJe0rkUlRGptdKH69T5GNg9v:FjjE0PCn3baPXuD7
                                                                            MD5:65D8CB2733295758E5328E5A3E1AFF15
                                                                            SHA1:F2378928BB9CCFBA566EC574E501F6A82A833143
                                                                            SHA-256:E9652AB77A0956C5195970AF39778CFC645FC5AF22B95EED6D197DC998268642
                                                                            SHA-512:BF6AA62EA82DFDBE4BC42E4D83469D3A98BFFE89DBAB492F8C60552FCB70BBA62B8BF7D4BDAB4045D9BC1383A423CAA711E818F2D8816A80B056BC65A52BC171
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........g......#...............................c................................6......... .........................Y@......................................0....................................................................................text...D...........................`.P`.data...............................@.`..rdata..0".......$..................@.`@/4.......Z.......\..................@.0@.bss....t....p........................`..edata..Y@.......B...8..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..0...........................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:modified
                                                                            Size (bytes):3532288
                                                                            Entropy (8bit):6.823700285250343
                                                                            Encrypted:false
                                                                            SSDEEP:98304:GYM3RNgO0uIXlN1qw7BuptzATsdI7+9CL28guA:GdhNgZfTMK2
                                                                            MD5:DB1B847C721315246794C6FF66CF49AD
                                                                            SHA1:72DAFA74BFF9CAFE8309B04FCCA706154834FBFB
                                                                            SHA-256:36F3E6FDD68E9E229BC5891F3D5F4F538C594BB638F9A200DC227B941ADD3729
                                                                            SHA-512:761276F62184940372F40A51C7AE64C1455B42FE4828C73BC866D37699CF5C12A8C60BDDCCF9919CCC01823FEB5E3232F527C9574F692E6CB2CAD7290749E3FC
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....b.L.................."..x.......z"......."...@..........................`6......q6.....................................D.".......#...............................................................................".d............................text.....".......".................`....rdata...(...."..*....".............@..@_cde_4..8.....#..0....".............@....rsrc.........#.......#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libgcc_s_dw2-1.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):121524
                                                                            Entropy (8bit):6.347995296737745
                                                                            Encrypted:false
                                                                            SSDEEP:1536:9v6EzEhAArrzEYz8V2clMs4v6C7382gYbByUDM6H0ZulNDnt8zXxgf:9T8AArrzDylMs5C738FYbpH0Ent8zBgf
                                                                            MD5:6CE25FB0302F133CC244889C360A6541
                                                                            SHA1:352892DD270135AF5A79322C3B08F46298B6E79C
                                                                            SHA-256:E06C828E14262EBBE147FC172332D0054502B295B0236D88AB0DB43326A589F3
                                                                            SHA-512:3605075A7C077718A02E278D686DAEF2E8D17B160A5FEDA8D2B6E22AABFFE0105CC72279ADD9784AC15139171C7D57DBA2E084A0BA22A6118FDBF75699E53F63
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8r>....7......#.....^...................p.....n.........................0................ ........................._.................................... .......................................................................................text...X].......^..................`.P`.data... ....p.......b..............@.0..rdata........... ...d..............@.`@/4...............0..................@.0@.bss....(.............................`..edata.._...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc....... ......................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libgdk-win32-2.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):814068
                                                                            Entropy (8bit):6.5113626552096
                                                                            Encrypted:false
                                                                            SSDEEP:24576:ZEygs0MDl9NALk12XBoO/j+QDr4TARkKtff8WvLCC2:vKMDl9aGO+/TAR5tff8og
                                                                            MD5:5B1EB4B36F189362DEF93BF3E37354CC
                                                                            SHA1:8C0A4992A6180D0256ABF669DFDEE228F03300BA
                                                                            SHA-256:D2D7D9821263F8C126C6D8758FFF0C88F2F86E7E69BFCC28E7EFABC1332EEFD7
                                                                            SHA-512:BF57664A96DC16DAD0BB22F6BE6B7DAE0BB2BA2C6932C8F64AEC953E77DC5CDA48E3E05FB98EFE766969832DBC6D7357F8B8D144BD438E366CE746B3B31E2C96
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wl....i......#..............................Tl.................................`........ ..........................b...`...L.......h...................@...I...................................................j..X............................text..............................`.P`.data...............................@.`..rdata..\...........................@.`@/4.......S...p...T...H..............@.0@.bss..................................`..edata...b.......d..................@.0@.idata...L...`...L..................@.0..CRT....,............L..............@.0..tls.... ............N..............@.0..rsrc....h.......j...P..............@.0..reloc...I...@...J..................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libgdk_pixbuf-2.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):181527
                                                                            Entropy (8bit):6.362061002967905
                                                                            Encrypted:false
                                                                            SSDEEP:3072:jJoxZgqj/2VkWePT1lempKE7PQrXGx6duqPhyxO+jOfMjHyv:jef/2eH72mprIs6VyfOfMY
                                                                            MD5:0D0D311D1837705B1EAFBC5A85A695BD
                                                                            SHA1:AA7FA3EB181CC5E5B0AA240892156A1646B45184
                                                                            SHA-256:AFB9779C4D24D0CE660272533B70D2B56704F8C39F63DAB0592C203D8AE74673
                                                                            SHA-512:14BC65823B77E192AACF613B65309D5A555A865AC00D2AB422FD209BD4E6C106ECCE12F868692C3EEA6DCCB3FE4AD6323984AEF60F69DA08888ABCD98D76327D
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..............#..............................Te......................... ................ .........................b........#......................................................................................H............................text...$...........................`.P`.data...4...........................@.0..rdata...J.......L..................@.`@/4.......I... ...J..................@.0@.bss.........p........................`..edata..b............@..............@.0@.idata...#.......$...V..............@.0..CRT....,............z..............@.0..tls.... ............|..............@.0..rsrc................~..............@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libgdkmm-2.4-1.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):268404
                                                                            Entropy (8bit):6.265024248848175
                                                                            Encrypted:false
                                                                            SSDEEP:3072:yL8lD0bVAYhILCN0z+tUbO01CDXQ6yw+RseNYWFZvc/NNap:1Uy+tUbO01CDXQ6ywcYWFZvCNNap
                                                                            MD5:C4C23388109D8A9CC2B87D984A1F09B8
                                                                            SHA1:74C9D9F5588AFE721D2A231F27B5415B4DEF8BA6
                                                                            SHA-256:11074A6FB8F9F137401025544121F4C3FB69AC46CC412469CA377D681D454DB3
                                                                            SHA-512:060F175A87FBDF3824BEED321D59A4E14BE131C80B7C41AFF260291E69A054F0671CC67E2DDA3BE8A4D953C489BC8CDE561332AA0F3D82EF68D97AFCF115F6A3
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....V...................p....4j.......................................... ......................`.......`..xk..............................D....................................................k...............................text....T.......V..................`.P`.data... ....p.......Z..............@.0..rdata..X ......."...\..............@.`@/4......0............~..............@.0@.bss....H....P........................`..edata.......`......................@.0@.idata..xk...`...l..................@.0..CRT....,............x..............@.0..tls.... ............z..............@.0..reloc..D............|..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libglibmm-2.4-1.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):463112
                                                                            Entropy (8bit):6.363613724826455
                                                                            Encrypted:false
                                                                            SSDEEP:12288:qyoSS9Gy176UixTUTfeKEVfA/K4FW0BGXOjY:pS93176nxTUTEA/Kuk
                                                                            MD5:D9D9C79E35945FCA3F9D9A49378226E7
                                                                            SHA1:4544A47D5B9765E5717273AAFF62724DF643F8F6
                                                                            SHA-256:18CBD64E56CE58CE7D1F67653752F711B30AD8C4A2DC4B0DE88273785C937246
                                                                            SHA-512:B0A9CEFAC7B4140CC07E880A336DCBAB8B6805E267F4F8D9423111B95E4D13544D8952D75AB51ADE9F6DACE93A5425E6D41F42C2AA88D3A3C233E340EE785EB9
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#.........R....................lf.......................................... ......................@..w.......................................<....................................................................................text...$...........................`.P`.data... ...........................@.0..rdata...J.......L..................@.`@/4..................................@.0@.bss....h....0........................`..edata..w....@......................@.0@.idata..............................@.0..CRT....,............4..............@.0..tls.... ............6..............@.0..reloc..<............8..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libgmodule-2.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):26562
                                                                            Entropy (8bit):5.606958768500933
                                                                            Encrypted:false
                                                                            SSDEEP:768:EaiL7abI5n6MnFUKs7qfSWWmJZLfw2tnPrPkV:4XabI5n5niKsOwmnU
                                                                            MD5:E9C7068B3A10C09A283259AA1B5D86F2
                                                                            SHA1:3FFE48B88F707AA0C947382FBF82BEE6EF7ABB78
                                                                            SHA-256:06294F19CA2F7460C546D4D0D7B290B238C4959223B63137BB6A1E2255EDA74F
                                                                            SHA-512:AC4F521E0F32DBF104EF98441EA3403F0B7D1B9D364BA8A0C78DAA056570649A2B45D3B41F0B16A1A73A09BAF2870D23BD843E6F7E9149B697F7E6B7222E0B81
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7G7.Z..V......#.....(...V...............@.....m.......................................... .........................O...............p.......................l.......................................................@............................text....&.......(..................`.P`.data...0....@.......,..............@.0..rdata.......P......................@.0@/4...........`.......6..............@.0@.bss.........p........................`..edata..O............B..............@.0@.idata...............D..............@.0..CRT....,............N..............@.0..tls.... ............P..............@.0..rsrc...p............R..............@.0..reloc..l............V..............@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libgobject-2.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):337171
                                                                            Entropy (8bit):6.46334441651647
                                                                            Encrypted:false
                                                                            SSDEEP:3072:TQkk4LTVKDKajZjp8aEEHeEkls4q5dRIFSqObK/q+P82JSccgSGDGxQXKHlTmn93:3kwpKlf1QNSqOb6q+PRJb6GDGmKH893
                                                                            MD5:51D62C9C7D56F2EF2F0F628B8FC249AD
                                                                            SHA1:33602785DE6D273F0CE7CA65FE8375E91EF1C0BC
                                                                            SHA-256:FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
                                                                            SHA-512:03FB13AE5D73B4BABA540E3358335296FB28AA14318C27554B19BB1E90FAD05EA2DD66B3DB216EA7EED2A733FE745E66DB2E638F5ED3B0206F5BE377F931DF5B
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#......................... .....c.........................`................ ..........................8........... .......................0.../......................................................`............................text...............................`.P`.data...`.... ......................@.0..rdata..4....0......................@.`@/4......D...........................@.0@.bss..................................`..edata...8.......:...p..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.../...0...0..................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libgomp-1.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):174543
                                                                            Entropy (8bit):6.3532700320638025
                                                                            Encrypted:false
                                                                            SSDEEP:3072:F4yjzZ0q/RZ1vAjhByeVjxSTi7p2trtfKomZr8jPnJe0rkUlRGptdKH69T5GNg9v:FjjE0PCn3baPXuD7
                                                                            MD5:65D8CB2733295758E5328E5A3E1AFF15
                                                                            SHA1:F2378928BB9CCFBA566EC574E501F6A82A833143
                                                                            SHA-256:E9652AB77A0956C5195970AF39778CFC645FC5AF22B95EED6D197DC998268642
                                                                            SHA-512:BF6AA62EA82DFDBE4BC42E4D83469D3A98BFFE89DBAB492F8C60552FCB70BBA62B8BF7D4BDAB4045D9BC1383A423CAA711E818F2D8816A80B056BC65A52BC171
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........g......#...............................c................................6......... .........................Y@......................................0....................................................................................text...D...........................`.P`.data...............................@.`..rdata..0".......$..................@.`@/4.......Z.......\..................@.0@.bss....t....p........................`..edata..Y@.......B...8..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..0...........................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libgraphite2.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):235032
                                                                            Entropy (8bit):6.398850087061798
                                                                            Encrypted:false
                                                                            SSDEEP:6144:fWa7MVS9CtXk4wP0filbZ5546Qx/cwx/svQbKDazN1x:3MVTtXlwP0f0rK6QxEYz
                                                                            MD5:E1D0ACD1243F9E59491DC115F4E379A4
                                                                            SHA1:5E9010CFA8D75DEFBDC3FB760EB4229ACF66633B
                                                                            SHA-256:FD574DA66B7CCAE6F4DF31D5E2A2C7F9C5DAE6AE9A8E5E7D2CA2056AB29A8C4F
                                                                            SHA-512:392AA2CF6FBC6DAA6A374FD1F34E114C21234061855413D375383A97951EC5DDDF91FD1C431950045105746898E77C5C5B4D217DF0031521C69403EA6ADE5C27
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........Y......#..............................tp.......................................... .........................$...............................................................................................<............................text...............................`.P`.data...L...........................@.0..rdata...1.......2..................@.`@/4.......m... ...n..................@.0@.bss..................................`..edata..$............`..............@.0@.idata...............j..............@.0..CRT....,............t..............@.0..tls.... ............v..............@.0..reloc...............x..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libharfbuzz-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):441975
                                                                            Entropy (8bit):6.372283713065844
                                                                            Encrypted:false
                                                                            SSDEEP:6144:KOjlUsee63NlC1NiiA0XcQj0S5XTJAmLYWB6EYWOsIEvCmiu:DRGNq0wdAmcWBGsIEviu
                                                                            MD5:6CD78C8ADD1CFC7CBB85E2B971FCC764
                                                                            SHA1:5BA22C943F0337D2A408B7E2569E7BF53FF51CC5
                                                                            SHA-256:C75587D54630B84DD1CA37514A77D9D03FCE622AEA89B6818AE8A4164F9F9C73
                                                                            SHA-512:EAFDF6E38F63E6C29811D7D05821824BDAAC45F8B681F5522610EEBB87F44E9CA50CE690A6A3AA93306D6A96C751B2210F96C5586E00E323F26F0230C0B85301
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....~.........................a......................... ......A3........ ..........................'......................................|....................................................................................text...4|.......~..................`.P`.data...............................@.`..rdata..............................@.`@/4..................................@.0@.bss..................................`..edata...'.......(...R..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..|...........................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libintl-8.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):140752
                                                                            Entropy (8bit):6.52778891175594
                                                                            Encrypted:false
                                                                            SSDEEP:3072:Uw0ucwd0gZ36KErK+i+35KwO/hVQN6ulXazERIdF+aP2je8g5og96:ZlcWpErK+i9zEQF+aPKZo6
                                                                            MD5:A8F646EB087F06F5AEBC2539EB14C14D
                                                                            SHA1:4B1FBAB6C3022C3790BC0BD0DD2D9F3BA8FF1759
                                                                            SHA-256:A446F09626CE7CE63781F5864FDD6064C25D9A867A0A1A07DCECB4D5044B1C2B
                                                                            SHA-512:93BB40C5FE93EF97FE3BC82A0A85690C7B434BD0327BB8440D51053005A5E5B855F9FCC1E9C676C43FF50881F860817FF0764C1AD379FC08C4920AA4A42C5DBC
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....T...................p.....a.......................................... ......................0.......@.......p..@.......................T............................`......................8B...............................text....R.......T..................`.P`.data........p.......X..............@.`..rdata...F.......H...\..............@.`@/4......L3.......4..................@.0@.bss....@.............................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...@....p......................@.0..reloc..T...........................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libjpeg-8.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):509934
                                                                            Entropy (8bit):6.031080686301204
                                                                            Encrypted:false
                                                                            SSDEEP:6144:wx/Eqtn5oeHkJstujMWYVgUr/MSK/zwazshLKl11PC5qLJy1Pkfsm:M/NDXEJIPVgUrgbzslW11UqLJokfsm
                                                                            MD5:02E6C6AB886700E6F184EEE43157C066
                                                                            SHA1:E796B7F7762BE9B90948EB80D0138C4598700ED9
                                                                            SHA-256:EA53A198AA646BED0B39B40B415602F8C6DC324C23E1B9FBDCF7B416C2C2947D
                                                                            SHA-512:E72BC0A2E9C20265F1471C30A055617CA34DA304D7932E846D5D6999A8EBCC0C3691FC022733EAEB74A25C3A6D3F347D3335B902F170220CFE1DE0340942B596
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........P......#...............................k......................... ......CY........ .....................................................................................................................|...,............................text...T...........................`.P`.data...............................@.0..rdata..XN.......P..................@.`@/4.......x...0...z..................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\liblcms2-2.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):397808
                                                                            Entropy (8bit):6.396146399966879
                                                                            Encrypted:false
                                                                            SSDEEP:6144:q6WhfTNgMVVPwCxpk76CcIAg8TQfn9l1bBE3A97vupNBXH:q60TvSGpk7eIAg489l1S3A97vkVH
                                                                            MD5:E0747D2E573E0A05A7421C5D9B9D63CC
                                                                            SHA1:C45FC383F9400F8BBE0CA8E6A7693AA0831C1DA7
                                                                            SHA-256:25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
                                                                            SHA-512:201EE6B2FD8DCD2CC873726D56FD84132A4D8A7434B581ABD35096A5DE377009EC8BC9FEA2CC223317BBD0D971FB1E61610509E90B76544BDFF069E0D6929AED
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\4......n......#......................... ....Dk.......................................... ..........................5...0...............................`..T............................P.......................2...............................text...D...........................`.P`.data...X1... ...2..................@.`..rdata..x....`.......F..............@.`@/4..................................@.0@.bss....`.............................`..edata...5.......6..................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..T....`......................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\liblzma-5.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):171848
                                                                            Entropy (8bit):6.579154579239999
                                                                            Encrypted:false
                                                                            SSDEEP:3072:LrhG5+L/AcY680k2SxVqetJP5Im+A9mNoWqlM5ywwoS:LV6+LA0G0enP5PFYOWi6w1
                                                                            MD5:236A679AB1B16E66625AFBA86A4669EB
                                                                            SHA1:73AE354886AB2609FFA83429E74D8D9F34BD45F2
                                                                            SHA-256:B1EC758B6EDD3E5B771938F1FEBAC23026E6DA2C888321032D404805E2B05500
                                                                            SHA-512:C19FA027E2616AC6B4C18E04959DFE081EF92F49A11260BA69AFE10313862E8FEFF207B9373A491649928B1257CF9B905F24F073D11D71DCD29B0F9ADAC80248
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ......;......#...............................c................................q......... .........................,.......<.......H...........................................................................(................................text...............................`.P`.data... ...........................@.0..rdata..|y.......z..................@.`@/4......HN...@...P... ..............@.0@.bss..................................`..edata..,............p..............@.0@.idata..<............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...H...........................@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libpango-1.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):259014
                                                                            Entropy (8bit):6.075222655669795
                                                                            Encrypted:false
                                                                            SSDEEP:3072:O4WGkOMuCsxvlBUlthMP3SyyqX3/yfGG7ca/RM3yH8Tw/yr+Jg8jGCzftns9/1tA:tWGkOME304A7ca/RNyN8jGCzftngvA
                                                                            MD5:B4FDE05A19346072C713BE2926AF8961
                                                                            SHA1:102562DE2240042B654C464F1F22290676CB6E0F
                                                                            SHA-256:513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
                                                                            SHA-512:9F3AEE3EBF04837CEEF08938795DE0A044BA6602AACB98DA0E038A163119C695D9CC2CA413BD709196BFD3C800112ABABC3AF9E2E9A0C77D88BD4A1C88C2ED27
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..............................xe.........................@.......{........ .........................+;......L.......0.................... ..8...................................................h................................text...............................`.P`.data...$...........................@.0..rdata.../.......0..................@.`@/4.......l.......n..................@.0@.bss....,.............................`..edata..+;.......<...d..............@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...0...........................@.0..reloc..8.... ......................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libpangocairo-1.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):64724
                                                                            Entropy (8bit):5.910307743399971
                                                                            Encrypted:false
                                                                            SSDEEP:768:U84Oo2LbVtfNsqnYPL7cZ690d+yCG7QiZggD0Spo3YfklbTRPmK0Lz:Uf2LbVtfDGLr2xk4DU3YfkhTRuKW
                                                                            MD5:7AF455ADEA234DEA33B2A65B715BF683
                                                                            SHA1:F9311CB03DCF50657D160D89C66998B9BB1F40BA
                                                                            SHA-256:6850E211D09E850EE2510F6EAB48D16E0458BCE35916B6D2D4EB925670465778
                                                                            SHA-512:B8AC3E2766BB02EC37A61218FAF60D1C533C0552B272AF6B41713C17AB69C3731FA28F3B5D73766C5C59794D5A38CC46836FD93255DF38F7A3ABD219D51BB41A
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....h........................lm.........................P................ .................................."...0..`....................@............................... .......................................................text...dg.......h..................`.P`.data...0............l..............@.0..rdata...............n..............@.@@/4......\............z..............@.0@.bss....,.............................`..edata..............................@.0@.idata...".......$..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...`....0......................@.0..reloc.......@......................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libpangoft2-1.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):92019
                                                                            Entropy (8bit):5.974787373427489
                                                                            Encrypted:false
                                                                            SSDEEP:1536:+j80nVGEhJyBnvQXUDkUPoWCSgZosDGMsZLXWU9+HN4yoRtJJ:C8IgtyUDkBWIZosDGDBXWPHN4yoRtJJ
                                                                            MD5:CC7DAD980DD04E0387795741D809CBF7
                                                                            SHA1:A49178A17B1C72AD71558606647F5011E0AA444B
                                                                            SHA-256:0BAE9700E29E4E7C532996ADF6CD9ADE818F8287C455E16CF2998BB0D02C054B
                                                                            SHA-512:E4441D222D7859169269CA37E491C37DAA6B3CDD5F4A05A0A246F21FA886F5476092E64DFF88890396EF846B9E8D2880E33F1F594CD61F09023B3EF4CD573EA3
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(....0..7......#.........,.....................m................................B......... ...................... .......0...*...........................................................p......................t5...............................text..............................`.P`.data... ...........................@.0..rdata..............................@.`@/4.......(.......*..................@.0@.bss..................................`..edata....... ......................@.0@.idata...*...0...,..................@.0..CRT....,....`....... ..............@.0..tls.... ....p......."..............@.0..rsrc................$..............@.0..reloc...............(..............@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libpangomm-1.4-1.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):165739
                                                                            Entropy (8bit):6.062324507479428
                                                                            Encrypted:false
                                                                            SSDEEP:3072:wqozCom32MhGf+cPlDQ6jGQGExqLsGXnru+5FMCp:wqxo4LGlDQ6yQGsqLsGXruSFMCp
                                                                            MD5:E2F18B37BC3D02CDE2E5C15D93E38418
                                                                            SHA1:1A6C58F4A50269D3DB8C86D94B508A1919841279
                                                                            SHA-256:7E555192331655B04D18F40E8F19805670D56FC645B9C269B9F10BF45A320C97
                                                                            SHA-512:61AB4F3475B66B04399111B106C3F0A744DC226A59EB03C134AE9216A9EA0C7F9B3B211148B669C32BAFB05851CC6C18BD69EA431DBC2FE25FE470CB4786FD17
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........0.........#.........,.....................n................................&......... .........................y....0...D..................................................................................x7...............................text...............................`.P`.data... ...........................@.0..rdata..............................@.`@/4......Dg.......h..................@.0@.bss....(....p........................`..edata..y............8..............@.0@.idata...D...0...F..................@.0..CRT....,............ ..............@.0..tls.... ............"..............@.0..reloc...............$..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libpangowin32-1.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):101544
                                                                            Entropy (8bit):6.237382830377451
                                                                            Encrypted:false
                                                                            SSDEEP:1536:nrYjG+7rjCKdiZ4axdj+nrlv3ecaQZ93yQNMRP2Ea5JPTxi0C9A046QET:M9eKdiBxUnfb3yZROEYJPTxib9A5ET
                                                                            MD5:E13FCD8FB16E483E4DE47A036687D904
                                                                            SHA1:A54F56BA6253D4DECAAE3DE8E8AC7607FD5F0AF4
                                                                            SHA-256:0AC1C17271D862899B89B52FAA13FC4848DB88864CAE2BF4DC7FB81C5A9A49BF
                                                                            SHA-512:38596C730B090B19E34183182273146C3F164211644EBC0A698A83651B2753F7D9B1D6EE477D1798BD7219B5977804355E2F57B1C3013BF3D498BF96DEC9D02E
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#.........`....................Hk.................................$........ ......................`..-....p......................................................................................Lt...............................text...............................`.P`.data...L...........................@.0..rdata..............................@.`@/4.......*... ...,..................@.0@.bss.........P........................`..edata..-....`.......*..............@.0@.idata.......p... ...0..............@.0..CRT....,............P..............@.0..tls.... ............R..............@.0..rsrc................T..............@.0..reloc...............X..............@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libpcre-1.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):291245
                                                                            Entropy (8bit):6.234245376773595
                                                                            Encrypted:false
                                                                            SSDEEP:6144:dg6RpdbWJbnZ9zwvNOmdcm0sn+g2eqZq6eadTD8:UJ99zwvNOmdcm0s+g1qZQadTD8
                                                                            MD5:2D8A0BC588118AA2A63EED7BF6DFC8C5
                                                                            SHA1:7FB318DC21768CD62C0614D7AD773CCFB7D6C893
                                                                            SHA-256:707DEE17E943D474FBE24EF5843A9A37E923E149716CAD0E2693A0CC8466F76E
                                                                            SHA-512:A296A8629B1755D349C05687E1B9FAE7ED5DE14F2B05733A7179307706EA6E83F9F9A8729D2B028EDDC7CAF8C8C30D69AD4FEA6EC19C66C945772E7A34F100DE
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........h..@......#.........d....................4i................................<......... ......................p..5.......t...................................................................................<................................text...T...........................`.P`.data...0...........................@.0..rdata...v.......x..................@.`@/4...........@......................@.0@.bss.........`........................`..edata..5....p.......6..............@.0@.idata..t............>..............@.0..CRT....,............F..............@.0..tls.... ............H..............@.0..reloc...............J..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libpixman-1-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):706136
                                                                            Entropy (8bit):6.517672165992715
                                                                            Encrypted:false
                                                                            SSDEEP:12288:8TCY9iAO+e+693qCfG0l2KDIq4N1i9aqi+:8piAO+e+69ne02KDINN1MaZ+
                                                                            MD5:3A8A13F0215CDA541EC58F7C80ED4782
                                                                            SHA1:085C3D5F62227319446DD61082919F6BE1EFD162
                                                                            SHA-256:A397C9C2B5CAC7D08A2CA720FED9F99ECE72078114FFC86DF5DBC2B53D5FA1AD
                                                                            SHA-512:4731D7ABB8DE1B77CB8D3F63E95067CCD7FAFED1FEB508032CB41EE9DB3175C69E5D244EEE8370DE018140D7B1C863A4E7AFBBE58183294A0E7CD98F2A8A0EAD
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.......Q......#..............................Pe......................... ................ .........................A.......L............................... ,......................................................,............................text...8...........................`.P`.data...............................@.P..rdata..............................@.`@/4......\............x..............@.0@.bss..................................`..edata..A........ ...^..............@.0@.idata..L............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc.. ,..........................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libpng16-16.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):248781
                                                                            Entropy (8bit):6.474165596279956
                                                                            Encrypted:false
                                                                            SSDEEP:3072:oW4uzRci3pB4FvOhUHN1Dmfk46sR6/9+B7Bt9Z42fTSCi3QUqbQrPeL8rFErGfju:n4uB4FvHNElE9+B7Bj6GTSCiZPNVS
                                                                            MD5:C4002F9E4234DFB5DBE64C8D2C9C2F09
                                                                            SHA1:5C1DCCE276FDF06E6AA1F6AD4D4B49743961D62D
                                                                            SHA-256:F5BC251E51206592B56C3BD1BC4C030E2A98240684263FA766403EA687B1F664
                                                                            SHA-512:4F7BC8A431C07181A3D779F229E721958043129BBAEC65A538F2DD6A2CAB8B4D6165B4149B1DF56B31EB062614363A377E1982FD2F142E49DA524C1C96FC862E
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........]......#...............................h......................... .......!........ .........................A.......\.......................................................................................\............................text..............................`.P`.data...T...........................@.0..rdata..P[.......\..................@.`@/4.......v...0...v..................@.0@.bss..................................`..edata..A........ ..................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\librsvg-2-2.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):248694
                                                                            Entropy (8bit):6.346971642353424
                                                                            Encrypted:false
                                                                            SSDEEP:6144:MUijoruDtud8kVtHvBcEcEJAbNkhJIXM3rhv:Cy8kTHvBcE1kI3rhv
                                                                            MD5:39A15291B9A87AEE42FBC46EC1FE35D6
                                                                            SHA1:AADF88BBB156AD3CB1A2122A3D6DC017A7D577C1
                                                                            SHA-256:7D4546773CFCC26FEC8149F6A6603976834DC06024EEAC749E46B1A08C1D2CF4
                                                                            SHA-512:FF468FD93EFDB22A20590999BC9DD68B7307BD406EB3746C74A3A472033EA665E6E3F778325849DF9B0913FFC7E4700E2BEED4666DA6E713D984E92F9DB5F679
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....x.........................i.......................................... ......................`..u........1...................................................................................................................text...Tw.......x..................`.P`.data................|..............@.`..rdata..t;.......<...~..............@.`@/4.......f.......h..................@.0@.bss.........P........................`..edata..u....`......."..............@.0@.idata...1.......2...>..............@.0..CRT....,............p..............@.0..tls.... ............r..............@.0..reloc...............t..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libsigc-2.0-0.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):30994
                                                                            Entropy (8bit):5.666281517516177
                                                                            Encrypted:false
                                                                            SSDEEP:768:SrCNSOFBZVDIxxDsIpx0uZjaYNdJSH6J6:SrCyx0maYNdh6
                                                                            MD5:3C033F35FE26BC711C4D68EB7CF0066D
                                                                            SHA1:83F1AED76E6F847F6831A1A1C00FEDC50F909B81
                                                                            SHA-256:9BA147D15C8D72A99BC639AE173CFF2D22574177242A7E6FE2E9BB09CC3D5982
                                                                            SHA-512:7811BE5CCBC27234CE70AB4D6541556612C45FE81D5069BA64448E78953387B1C023AA2A04E5DBF8CAACE7291B8B020BEE2F794FBC190837F213B8D6CB698860
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..8......#.....*...l...............@.....j.......................................... .........................a.......(...............................x...................................................,................................text...8(.......*..................`.P`.data... ....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......6..............@.0@.bss..................................`..edata..a............L..............@.0@.idata..(............`..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..x............l..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libtiff-5.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):448557
                                                                            Entropy (8bit):6.353356595345232
                                                                            Encrypted:false
                                                                            SSDEEP:12288:TC5WwqtP7JRSIOKxQg2FgggggggTggZgoggggggggggggggggggnggDggD7d:TC5WltP7JRSIOKxmeR
                                                                            MD5:908111F583B7019D2ED3492435E5092D
                                                                            SHA1:8177C5E3B4D5CC1C65108E095D07E0389164DA76
                                                                            SHA-256:E8E2467121978653F9B6C69D7637D8BE1D0AC6A4028B672A9B937021AD47603C
                                                                            SHA-512:FD35BACAD03CFA8CD1C0FFF2DAC117B07F516E1E37C10352ED67E645F96E31AC499350A2F21702EB51BE83C05CF147D0876DAC34376EEDE676F3C7D4E4A329CB
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....,...................@.....i......................... ......._........ .........................[.......X...............................(&...................................................... ............................text...d*.......,..................`.P`.data........@.......0..............@.`..rdata......P.......2..............@.`@/4..................................@.0@.bss....|.............................`..edata..[............j..............@.0@.idata..X...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..(&.......(..................@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\libwinpthread-1.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):65181
                                                                            Entropy (8bit):6.085572761520829
                                                                            Encrypted:false
                                                                            SSDEEP:768:1JrcDWlFkbBRAFqDnlLKgprfElH0hiGoeLXRcW/VB6dkhxLemE5ZHvIim3YWATMk:XrTk3iqzlLKgp6H38B6u0Uim3Y15P
                                                                            MD5:98A49CC8AE2D608C6E377E95833C569B
                                                                            SHA1:BA001D8595AC846D9736A8A7D9161828615C135A
                                                                            SHA-256:213B6ADDAB856FEB85DF1A22A75CDB9C010B2E3656322E1319D0DEF3E406531C
                                                                            SHA-512:C9D756BB127CAC0A43D58F83D01BFE1AF415864F70C373A933110028E8AB0E83612739F2336B28DC44FAABA6371621770B5BCC108DE7424E31378E2543C40EFC
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........[......#...............................d.........................p................ .............................. .......P..P....................`..x............................@.......................!..\............................text...D...........................`.P`.data...D...........................@.0..rdata..l...........................@.0@/4......p/.......0..................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....0....0......................@.0..tls.... ....@......................@.0..rsrc...P....P......................@.0..reloc..x....`......................@.0B........................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\uninstall\is-A5OG2.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):720373
                                                                            Entropy (8bit):6.50718990824635
                                                                            Encrypted:false
                                                                            SSDEEP:12288:Vhu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURAFDExyFn:nu7eEYCP8trP837szHUA60SLtcV3E9RT
                                                                            MD5:A78837E6F10C665932DAC5D809524995
                                                                            SHA1:91C350A9BDDB14510BD7C7693E4F789251E682E8
                                                                            SHA-256:D42B415E36E2F48CC320391B6EAFE32FC7E9293808A7ACB3758437024DC80099
                                                                            SHA-512:5F569B6BBB584DC6DFBA40D66D92FF1B94EBCE637FB5E51C357D9240C6E7F97B1880CC5ECB13B0157B13DD4C818A758AE759D4256E25A766B3D818BB1E2668A6
                                                                            Malicious:true
                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\uninstall\unins000.dat

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:InnoSetup Log Jenny Video Converter, version 0x30, 6004 bytes, 841618\user, "C:\Users\user\AppData\Local\Jenny Video Converter"
                                                                            Category:dropped
                                                                            Size (bytes):6004
                                                                            Entropy (8bit):4.816383495178414
                                                                            Encrypted:false
                                                                            SSDEEP:96:qSadWq4883p49QP3V9a+eOIhYNQ2dUrBXdNN6xsi6kG6LW6ad2BMgnBc6weKul6u:qHdWq48cp4983DHIhjg6hJpABV
                                                                            MD5:9C388E21A542B053FAB30A246C2E5BD3
                                                                            SHA1:F82BFF295BFFCC1D380539A594B214ADEFCFC0B5
                                                                            SHA-256:74706FC6B19F072B4D4667AE34C6D16411F0BCC1FF7CAF91B08345F9634C0784
                                                                            SHA-512:03D3A731AF7A8866F535B8FE5321A3D348E2421B1B9D8083F9585B52AE4045B08905E89B3636211ED0E0BAF14B7E6A044E3D08A5050C2B72A3354532B1094F0B
                                                                            Malicious:false
                                                                            Preview:Inno Setup Uninstall Log (b)....................................Jenny Video Converter...........................................................................................................Jenny Video Converter...........................................................................................................0..."...t...%.................................................................................................................h.........i%.N......X....841618.user5C:\Users\user\AppData\Local\Jenny Video Converter.............3.... ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dl

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\uninstall\unins000.exe (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):720373
                                                                            Entropy (8bit):6.50718990824635
                                                                            Encrypted:false
                                                                            SSDEEP:12288:Vhu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURAFDExyFn:nu7eEYCP8trP837szHUA60SLtcV3E9RT
                                                                            MD5:A78837E6F10C665932DAC5D809524995
                                                                            SHA1:91C350A9BDDB14510BD7C7693E4F789251E682E8
                                                                            SHA-256:D42B415E36E2F48CC320391B6EAFE32FC7E9293808A7ACB3758437024DC80099
                                                                            SHA-512:5F569B6BBB584DC6DFBA40D66D92FF1B94EBCE637FB5E51C357D9240C6E7F97B1880CC5ECB13B0157B13DD4C818A758AE759D4256E25A766B3D818BB1E2668A6
                                                                            Malicious:true
                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Jenny Video Converter\zlib1.dll (copy)

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):98626
                                                                            Entropy (8bit):6.478068795827396
                                                                            Encrypted:false
                                                                            SSDEEP:1536:HDuZqv5WNPuWOD+QZ7OWN4oOlatKZ2XGnToIfQIOEIOGxpdo4VoWsj:r9P6WN4wyTBfGqGxpdo4VoB
                                                                            MD5:70CA53E8B46464CCF956D157501D367A
                                                                            SHA1:AE0356FAE59D9C2042270E157EA0D311A831C86A
                                                                            SHA-256:4A7AD2198BAACC14EA2FFD803F560F20AAD59C3688A1F8AF2C8375A0D6CC9CFE
                                                                            SHA-512:CB1D52778FE95D7593D1FDBE8A1125CD19134973B65E45F1E7D21A6149A058BA2236F4BA90C1CE01B1B0AFAD4084468D1F399E98C1F0D6F234CBA023FCC7B4AE
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....='=.x..=......#.........t.....................c.......................................... .................................8...............................0...................................................0................................text...t...........................`.P`.data... ...........................@.0..rdata...M.......N..................@.`@/4......t&...P...(...4..............@.0@.bss..................................`..edata...............\..............@.0@.idata..8............f..............@.0..CRT....,............n..............@.0..tls.... ............p..............@.0..reloc..0............r..............@.0B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\is-4CRD6.tmp\_isetup\_RegDLL.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):4096
                                                                            Entropy (8bit):4.026670007889822
                                                                            Encrypted:false
                                                                            SSDEEP:48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
                                                                            MD5:0EE914C6F0BB93996C75941E1AD629C6
                                                                            SHA1:12E2CB05506EE3E82046C41510F39A258A5E5549
                                                                            SHA-256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
                                                                            SHA-512:A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\is-4CRD6.tmp\_isetup\_iscrypt.dll

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):2560
                                                                            Entropy (8bit):2.8818118453929262
                                                                            Encrypted:false
                                                                            SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                            MD5:A69559718AB506675E907FE49DEB71E9
                                                                            SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                            SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                            SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\is-4CRD6.tmp\_isetup\_setup64.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):6144
                                                                            Entropy (8bit):4.215994423157539
                                                                            Encrypted:false
                                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                            MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                            SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                            SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                            SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\is-4CRD6.tmp\_isetup\_shfoldr.dll

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):23312
                                                                            Entropy (8bit):4.596242908851566
                                                                            Encrypted:false
                                                                            SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                            MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                            SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                            SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                            SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\Ui6sm6N5JG.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):709120
                                                                            Entropy (8bit):6.498758763808446
                                                                            Encrypted:false
                                                                            SSDEEP:12288:thu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURAFDExyF:Pu7eEYCP8trP837szHUA60SLtcV3E9RT
                                                                            MD5:C6A64497A14D9C70B36107218E969B1F
                                                                            SHA1:9ED3F09A478E46C8FD4FBAF1F60B7C09938F5A52
                                                                            SHA-256:D6385623CD895C76190DD227FDB8BE40550BAC8CD285BB23B4A0EB57191C8ECD
                                                                            SHA-512:C9A1B961DAD096FEC56C41D625AFE31AEA1CF3455B00CBEF43E9255F7668B42EAC4AC61783DE8C872A0D950140FF4D2A1035E1BD55654A21C4549650F922F64E
                                                                            Malicious:true
                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Entropy (8bit):7.998628758699574
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                            • Inno Setup installer (109748/4) 1.08%
                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            File name:Ui6sm6N5JG.exe
                                                                            File size:4'537'644 bytes
                                                                            MD5:4eb0ec18b14f303b5de820f0a82c747b
                                                                            SHA1:1483f2c301140245e3c2c8695db704e2971ab778
                                                                            SHA256:5ef90c4636c4d4e6684e16bcb057e914a9e318098f87d196c09017f84e9229c3
                                                                            SHA512:2423377a69c4856840b3463c5c104d0df3f4199258f69a091d1eb2641a00264dfdfa39f3e48a13e63cfe70978080ffeb3e29cf9ba0af0bd79ec3c3160164ba02
                                                                            SSDEEP:98304:NSr00NqqoJ0yY4iwMFg//rb0M2G8bctsdAuUeLef8AXWYTtEsKsEdxS:AV7FUb8G8bCsIeLaFXW1aEa
                                                                            TLSH:7E2633A86F492470C0839F7A4D67E05D85662F31467E01FD74DCBF88BC92A68F729386
                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                            File Icon

                                                                            Icon Hash:2d2e3797b32b2b99

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x409c40
                                                                            Entrypoint Section:CODE
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:1
                                                                            OS Version Minor:0
                                                                            File Version Major:1
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:1
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            push ebp
                                                                            mov ebp, esp
                                                                            add esp, FFFFFFC4h
                                                                            push ebx
                                                                            push esi
                                                                            push edi
                                                                            xor eax, eax
                                                                            mov dword ptr [ebp-10h], eax
                                                                            mov dword ptr [ebp-24h], eax
                                                                            call 00007F4F192C796Bh
                                                                            call 00007F4F192C8B72h
                                                                            call 00007F4F192C8E01h
                                                                            call 00007F4F192CAE38h
                                                                            call 00007F4F192CAE7Fh
                                                                            call 00007F4F192CD7AEh
                                                                            call 00007F4F192CD915h
                                                                            xor eax, eax
                                                                            push ebp
                                                                            push 0040A2FCh
                                                                            push dword ptr fs:[eax]
                                                                            mov dword ptr fs:[eax], esp
                                                                            xor edx, edx
                                                                            push ebp
                                                                            push 0040A2C5h
                                                                            push dword ptr fs:[edx]
                                                                            mov dword ptr fs:[edx], esp
                                                                            mov eax, dword ptr [0040C014h]
                                                                            call 00007F4F192CE37Bh
                                                                            call 00007F4F192CDFAEh
                                                                            lea edx, dword ptr [ebp-10h]
                                                                            xor eax, eax
                                                                            call 00007F4F192CB468h
                                                                            mov edx, dword ptr [ebp-10h]
                                                                            mov eax, 0040CE24h
                                                                            call 00007F4F192C7A17h
                                                                            push 00000002h
                                                                            push 00000000h
                                                                            push 00000001h
                                                                            mov ecx, dword ptr [0040CE24h]
                                                                            mov dl, 01h
                                                                            mov eax, 0040738Ch
                                                                            call 00007F4F192CBCF7h
                                                                            mov dword ptr [0040CE28h], eax
                                                                            xor edx, edx
                                                                            push ebp
                                                                            push 0040A27Dh
                                                                            push dword ptr fs:[edx]
                                                                            mov dword ptr fs:[edx], esp
                                                                            call 00007F4F192CE3EBh
                                                                            mov dword ptr [0040CE30h], eax
                                                                            mov eax, dword ptr [0040CE30h]
                                                                            cmp dword ptr [eax+0Ch], 01h
                                                                            jne 00007F4F192CE52Ah
                                                                            mov eax, dword ptr [0040CE30h]
                                                                            mov edx, 00000028h
                                                                            call 00007F4F192CC0F8h
                                                                            mov edx, dword ptr [00000030h]

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            CODE0x10000x93640x94002c410dfc3efd04d9b69c35c70921424eFalse0.6147856841216216data6.560885192755103IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            DATA0xb0000x24c0x400d5ea23d4ecf110fd2591314cbaa84278False0.310546875data2.7390956346874638IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            BSS0xc0000xe880x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                            .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x110000x2c000x2c00337ccf201d5b681ff5980586debaeddfFalse0.32270951704545453data4.460620831407631IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                            RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                            RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                            RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                            RT_STRING0x125740x2f2data0.35543766578249336
                                                                            RT_STRING0x128680x30cdata0.3871794871794872
                                                                            RT_STRING0x12b740x2cedata0.42618384401114207
                                                                            RT_STRING0x12e440x68data0.75
                                                                            RT_STRING0x12eac0xb4data0.6277777777777778
                                                                            RT_STRING0x12f600xaedata0.5344827586206896
                                                                            RT_RCDATA0x130100x2cdata1.2045454545454546
                                                                            RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                            RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States0.2764900662251656
                                                                            RT_MANIFEST0x135340x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093

                                                                            Imports

                                                                            DLLImport
                                                                            kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                            user32.dllMessageBoxA
                                                                            oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                            kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                            user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                            comctl32.dllInitCommonControls
                                                                            advapi32.dllAdjustTokenPrivileges

                                                                            Possible Origin

                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            DutchNetherlands
                                                                            EnglishUnited States

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-10-07T11:22:48.971344+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659604185.208.158.24880TCP
                                                                            2024-10-07T11:22:49.793291+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659605185.208.158.24880TCP
                                                                            2024-10-07T11:22:50.605563+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659606185.208.158.24880TCP
                                                                            2024-10-07T11:22:51.438713+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659607185.208.158.24880TCP
                                                                            2024-10-07T11:22:51.789175+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659607185.208.158.24880TCP
                                                                            2024-10-07T11:22:52.620859+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659608185.208.158.24880TCP
                                                                            2024-10-07T11:22:53.436040+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659609185.208.158.24880TCP
                                                                            2024-10-07T11:22:54.253416+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659610185.208.158.24880TCP
                                                                            2024-10-07T11:22:54.603727+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659610185.208.158.24880TCP
                                                                            2024-10-07T11:22:55.722808+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659611185.208.158.24880TCP
                                                                            2024-10-07T11:22:56.066569+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659611185.208.158.24880TCP
                                                                            2024-10-07T11:22:56.417077+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659611185.208.158.24880TCP
                                                                            2024-10-07T11:22:57.226712+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659612185.208.158.24880TCP
                                                                            2024-10-07T11:22:58.598360+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659613185.208.158.24880TCP
                                                                            2024-10-07T11:22:58.947800+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659613185.208.158.24880TCP
                                                                            2024-10-07T11:22:59.785585+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659614185.208.158.24880TCP
                                                                            2024-10-07T11:23:00.136536+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659614185.208.158.24880TCP
                                                                            2024-10-07T11:23:00.948441+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659615185.208.158.24880TCP
                                                                            2024-10-07T11:23:01.761798+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659616185.208.158.24880TCP
                                                                            2024-10-07T11:23:02.574438+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659617185.208.158.24880TCP
                                                                            2024-10-07T11:23:03.402706+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659618185.208.158.24880TCP
                                                                            2024-10-07T11:23:04.210530+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659619185.208.158.24880TCP
                                                                            2024-10-07T11:23:05.259815+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659620185.208.158.24880TCP
                                                                            2024-10-07T11:23:06.082723+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659621185.208.158.24880TCP
                                                                            2024-10-07T11:23:07.028879+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659622185.208.158.24880TCP
                                                                            2024-10-07T11:23:08.126262+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659623185.208.158.24880TCP
                                                                            2024-10-07T11:23:08.472640+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659623185.208.158.24880TCP
                                                                            2024-10-07T11:23:08.816538+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659623185.208.158.24880TCP
                                                                            2024-10-07T11:23:09.165971+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659623185.208.158.24880TCP
                                                                            2024-10-07T11:23:09.991703+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659624185.208.158.24880TCP
                                                                            2024-10-07T11:23:10.806083+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659625185.208.158.24880TCP
                                                                            2024-10-07T11:23:11.620732+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659626185.208.158.24880TCP
                                                                            2024-10-07T11:23:12.449162+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659627185.208.158.24880TCP
                                                                            2024-10-07T11:23:13.280081+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659628185.208.158.24880TCP
                                                                            2024-10-07T11:23:14.087196+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659629185.208.158.24880TCP
                                                                            2024-10-07T11:23:14.949401+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659630185.208.158.24880TCP
                                                                            2024-10-07T11:23:15.791854+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659631185.208.158.24880TCP
                                                                            2024-10-07T11:23:17.536737+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659632185.208.158.24880TCP
                                                                            2024-10-07T11:23:17.883289+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659632185.208.158.24880TCP
                                                                            2024-10-07T11:23:18.716795+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659633185.208.158.24880TCP
                                                                            2024-10-07T11:23:19.526097+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659634185.208.158.24880TCP
                                                                            2024-10-07T11:23:20.348524+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659635185.208.158.24880TCP
                                                                            2024-10-07T11:23:20.694652+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659635185.208.158.24880TCP
                                                                            2024-10-07T11:23:21.512749+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659636185.208.158.24880TCP
                                                                            2024-10-07T11:23:22.316563+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659637185.208.158.24880TCP
                                                                            2024-10-07T11:23:22.659710+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659637185.208.158.24880TCP
                                                                            2024-10-07T11:23:23.003436+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659637185.208.158.24880TCP
                                                                            2024-10-07T11:23:23.347525+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659637185.208.158.24880TCP
                                                                            2024-10-07T11:23:23.692253+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659637185.208.158.24880TCP
                                                                            2024-10-07T11:23:24.553256+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659638185.208.158.24880TCP
                                                                            2024-10-07T11:23:25.374154+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659639185.208.158.24880TCP
                                                                            2024-10-07T11:23:26.174407+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659640185.208.158.24880TCP
                                                                            2024-10-07T11:23:26.519407+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659640185.208.158.24880TCP
                                                                            2024-10-07T11:23:26.862449+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659640185.208.158.24880TCP
                                                                            2024-10-07T11:23:27.206489+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659640185.208.158.24880TCP
                                                                            2024-10-07T11:23:27.550688+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659640185.208.158.24880TCP
                                                                            2024-10-07T11:23:27.894076+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659640185.208.158.24880TCP
                                                                            2024-10-07T11:23:28.240936+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659640185.208.158.24880TCP
                                                                            2024-10-07T11:23:29.068530+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659641185.208.158.24880TCP
                                                                            2024-10-07T11:23:30.094304+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659642185.208.158.24880TCP
                                                                            2024-10-07T11:23:30.443202+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659642185.208.158.24880TCP
                                                                            2024-10-07T11:23:31.379470+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659643185.208.158.24880TCP
                                                                            2024-10-07T11:23:31.723779+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659643185.208.158.24880TCP
                                                                            2024-10-07T11:23:32.531358+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659644185.208.158.24880TCP
                                                                            2024-10-07T11:23:33.345283+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659645185.208.158.24880TCP
                                                                            2024-10-07T11:23:33.690618+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659645185.208.158.24880TCP
                                                                            2024-10-07T11:23:34.484914+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659646185.208.158.24880TCP
                                                                            2024-10-07T11:23:34.832092+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659646185.208.158.24880TCP
                                                                            2024-10-07T11:23:35.641275+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659647185.208.158.24880TCP
                                                                            2024-10-07T11:23:36.538140+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659648185.208.158.24880TCP
                                                                            2024-10-07T11:23:37.353501+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659649185.208.158.24880TCP
                                                                            2024-10-07T11:23:38.189415+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659650185.208.158.24880TCP
                                                                            2024-10-07T11:23:38.541652+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659650185.208.158.24880TCP
                                                                            2024-10-07T11:23:39.350926+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659651185.208.158.24880TCP
                                                                            2024-10-07T11:23:40.156889+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659652185.208.158.24880TCP
                                                                            2024-10-07T11:23:40.509367+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659652185.208.158.24880TCP
                                                                            2024-10-07T11:23:41.324682+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659653185.208.158.24880TCP
                                                                            2024-10-07T11:23:42.126233+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659654185.208.158.24880TCP
                                                                            2024-10-07T11:23:42.472059+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659654185.208.158.24880TCP
                                                                            2024-10-07T11:23:42.828523+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659654185.208.158.24880TCP
                                                                            2024-10-07T11:23:43.643600+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659655185.208.158.24880TCP
                                                                            2024-10-07T11:23:43.988232+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659655185.208.158.24880TCP
                                                                            2024-10-07T11:23:44.331345+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659655185.208.158.24880TCP
                                                                            2024-10-07T11:23:44.678740+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659655185.208.158.24880TCP
                                                                            2024-10-07T11:23:45.507144+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659656185.208.158.24880TCP
                                                                            2024-10-07T11:23:46.331991+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659657185.208.158.24880TCP
                                                                            2024-10-07T11:23:47.153383+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659658185.208.158.24880TCP
                                                                            2024-10-07T11:23:47.959221+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659659185.208.158.24880TCP
                                                                            2024-10-07T11:23:48.768707+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659660185.208.158.24880TCP
                                                                            2024-10-07T11:23:49.582074+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659661185.208.158.24880TCP
                                                                            2024-10-07T11:23:50.394559+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659662185.208.158.24880TCP
                                                                            2024-10-07T11:23:51.207363+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659663185.208.158.24880TCP
                                                                            2024-10-07T11:23:52.017660+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659664185.208.158.24880TCP
                                                                            2024-10-07T11:23:52.843624+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659665185.208.158.24880TCP
                                                                            2024-10-07T11:23:53.689584+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659666185.208.158.24880TCP
                                                                            2024-10-07T11:23:54.488231+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659667185.208.158.24880TCP
                                                                            2024-10-07T11:23:55.303481+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659668185.208.158.24880TCP
                                                                            2024-10-07T11:23:56.113060+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659669185.208.158.24880TCP
                                                                            2024-10-07T11:23:56.925112+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659670185.208.158.24880TCP
                                                                            2024-10-07T11:23:57.723175+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.659672185.208.158.24880TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Oct 7, 2024 11:22:48.270014048 CEST5960480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:48.275171041 CEST8059604185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:48.275280952 CEST5960480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:48.275369883 CEST5960480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:48.280111074 CEST8059604185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:48.971206903 CEST8059604185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:48.971343994 CEST5960480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:49.096276045 CEST5960480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:49.097174883 CEST5960580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:49.101627111 CEST8059604185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:49.101747990 CEST5960480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:49.102240086 CEST8059605185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:49.102626085 CEST5960580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:49.102626085 CEST5960580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:49.107599974 CEST8059605185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:49.793174028 CEST8059605185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:49.793291092 CEST5960580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:49.908308029 CEST5960580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:49.908612967 CEST5960680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:49.913547993 CEST8059606185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:49.913603067 CEST8059605185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:49.913661957 CEST5960680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:49.913682938 CEST5960580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:49.913760900 CEST5960680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:49.918720961 CEST8059606185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:50.605477095 CEST8059606185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:50.605562925 CEST5960680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:50.721892118 CEST5960680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:50.722311974 CEST5960780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:50.727241039 CEST8059606185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:50.727345943 CEST5960680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:50.727437019 CEST8059607185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:50.727521896 CEST5960780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:50.727710009 CEST5960780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:50.732580900 CEST8059607185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:51.438627958 CEST8059607185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:51.438713074 CEST5960780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:51.549252987 CEST5960780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:51.554219961 CEST8059607185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:51.789082050 CEST8059607185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:51.789175034 CEST5960780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:51.909248114 CEST5960780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:51.909538984 CEST5960880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:51.914490938 CEST8059608185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:51.914556026 CEST8059607185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:51.914571047 CEST5960880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:51.914607048 CEST5960780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:51.914724112 CEST5960880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:51.919701099 CEST8059608185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:52.620667934 CEST8059608185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:52.620858908 CEST5960880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:52.736763954 CEST5960880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:52.737018108 CEST5960980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:52.741923094 CEST8059609185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:52.741944075 CEST8059608185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:52.742052078 CEST5960880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:52.742065907 CEST5960980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:52.742176056 CEST5960980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:52.746942043 CEST8059609185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:53.435962915 CEST8059609185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:53.436039925 CEST5960980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:53.558768988 CEST5960980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:53.559057951 CEST5961080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:53.563894033 CEST8059610185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:53.563962936 CEST8059609185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:53.563977957 CEST5961080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:53.564008951 CEST5960980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:53.565001011 CEST5961080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:53.569916010 CEST8059610185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:54.250652075 CEST8059610185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:54.253416061 CEST5961080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:54.361820936 CEST5961080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:54.368300915 CEST8059610185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:54.600018024 CEST8059610185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:54.603727102 CEST5961080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:54.755916119 CEST5961080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:54.756247044 CEST5961180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:55.037178040 CEST8059611185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:55.037269115 CEST5961180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:55.037782907 CEST8059610185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:55.037863970 CEST5961080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:55.038760900 CEST5961180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:55.044029951 CEST8059611185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:55.722721100 CEST8059611185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:55.722807884 CEST5961180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:55.831315994 CEST5961180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:55.836203098 CEST8059611185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:56.066490889 CEST8059611185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:56.066569090 CEST5961180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:56.174513102 CEST5961180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:56.179450989 CEST8059611185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:56.416848898 CEST8059611185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:56.417077065 CEST5961180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:56.534339905 CEST5961280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:56.534560919 CEST5961180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:56.539187908 CEST8059612185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:56.539263010 CEST5961280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:56.539446115 CEST5961280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:56.539674044 CEST8059611185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:56.539737940 CEST5961180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:56.544226885 CEST8059612185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:57.226583958 CEST8059612185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:57.226711988 CEST5961280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:57.671216011 CEST5961280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:57.671665907 CEST5961380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:57.887124062 CEST8059613185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:57.887231112 CEST8059612185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:57.887319088 CEST5961280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:57.887427092 CEST5961380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:57.888284922 CEST5961380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:57.894064903 CEST8059613185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:58.598203897 CEST8059613185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:58.598360062 CEST5961380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:58.705559015 CEST5961380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:58.712090015 CEST8059613185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:58.947726011 CEST8059613185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:58.947799921 CEST5961380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:59.072403908 CEST5961380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:59.072828054 CEST5961480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:59.077562094 CEST8059613185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:59.077656031 CEST5961380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:59.077867985 CEST8059614185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:59.078044891 CEST5961480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:59.078202009 CEST5961480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:59.083151102 CEST8059614185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:59.785464048 CEST8059614185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:22:59.785584927 CEST5961480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:59.893404007 CEST5961480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:22:59.898458004 CEST8059614185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:00.136374950 CEST8059614185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:00.136535883 CEST5961480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:00.252366066 CEST5961480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:00.252676964 CEST5961580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:00.257416964 CEST8059614185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:00.257514954 CEST5961480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:00.257555008 CEST8059615185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:00.257673979 CEST5961580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:00.257844925 CEST5961580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:00.262914896 CEST8059615185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:00.948250055 CEST8059615185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:00.948441029 CEST5961580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:01.065529108 CEST5961580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:01.065862894 CEST5961680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:01.071119070 CEST8059615185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:01.071223974 CEST8059616185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:01.071235895 CEST5961580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:01.071297884 CEST5961680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:01.071422100 CEST5961680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:01.076226950 CEST8059616185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:01.761616945 CEST8059616185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:01.761797905 CEST5961680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:01.878609896 CEST5961680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:01.879005909 CEST5961780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:01.883728981 CEST8059616185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:01.883771896 CEST8059617185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:01.883797884 CEST5961680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:01.884012938 CEST5961780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:01.884012938 CEST5961780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:01.888794899 CEST8059617185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:02.574290991 CEST8059617185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:02.574438095 CEST5961780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:02.690617085 CEST5961780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:02.690881014 CEST5961880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:02.695698023 CEST8059618185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:02.695884943 CEST8059617185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:02.696053028 CEST5961880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:02.696053028 CEST5961880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:02.696053028 CEST5961780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:02.700867891 CEST8059618185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:03.402308941 CEST8059618185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:03.402705908 CEST5961880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:03.519188881 CEST5961880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:03.519511938 CEST5961980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:03.524476051 CEST8059619185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:03.524583101 CEST5961980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:03.524712086 CEST8059618185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:03.524768114 CEST5961880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:03.526848078 CEST5961980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:03.531860113 CEST8059619185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:04.210405111 CEST8059619185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:04.210530043 CEST5961980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:04.379935026 CEST5961980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:04.380239010 CEST5962080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:04.574949026 CEST8059620185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:04.574964046 CEST8059619185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:04.575124979 CEST5961980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:04.575134039 CEST5962080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:04.575417042 CEST5962080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:04.580399990 CEST8059620185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:05.259627104 CEST8059620185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:05.259814978 CEST5962080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:05.377645969 CEST5962080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:05.377891064 CEST5962180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:05.382929087 CEST8059620185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:05.383022070 CEST5962080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:05.383488894 CEST8059621185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:05.383574009 CEST5962180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:05.383836985 CEST5962180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:05.388971090 CEST8059621185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:06.082500935 CEST8059621185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:06.082722902 CEST5962180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:06.205538988 CEST5962180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:06.205841064 CEST5962280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:06.320663929 CEST8059621185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:06.320775032 CEST5962180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:06.320898056 CEST8059622185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:06.321079016 CEST5962280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:06.323021889 CEST5962280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:06.327790022 CEST8059622185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:07.028770924 CEST8059622185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:07.028878927 CEST5962280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:07.143208981 CEST5962280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:07.143522024 CEST5962380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:07.428035021 CEST8059622185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:07.428052902 CEST8059623185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:07.428241014 CEST5962380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:07.428242922 CEST5962280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:07.428416967 CEST5962380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:07.434739113 CEST8059623185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:08.126156092 CEST8059623185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:08.126261950 CEST5962380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:08.237034082 CEST5962380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:08.241883039 CEST8059623185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:08.472575903 CEST8059623185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:08.472640038 CEST5962380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:08.580820084 CEST5962380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:08.585732937 CEST8059623185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:08.816448927 CEST8059623185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:08.816538095 CEST5962380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:08.924525976 CEST5962380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:08.929409027 CEST8059623185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:09.165888071 CEST8059623185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:09.165971041 CEST5962380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:09.283962965 CEST5962380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:09.284320116 CEST5962480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:09.289659023 CEST8059623185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:09.289745092 CEST5962380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:09.290014029 CEST8059624185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:09.290097952 CEST5962480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:09.290266037 CEST5962480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:09.295661926 CEST8059624185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:09.991529942 CEST8059624185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:09.991703033 CEST5962480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:10.111753941 CEST5962480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:10.112032890 CEST5962580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:10.117016077 CEST8059624185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:10.117080927 CEST8059625185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:10.117117882 CEST5962480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:10.117157936 CEST5962580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:10.117290020 CEST5962580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:10.122152090 CEST8059625185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:10.805923939 CEST8059625185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:10.806082964 CEST5962580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:10.924629927 CEST5962580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:10.924976110 CEST5962680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:10.930368900 CEST8059626185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:10.930413008 CEST8059625185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:10.930495977 CEST5962680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:10.930533886 CEST5962580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:10.930772066 CEST5962680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:10.937336922 CEST8059626185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:11.620323896 CEST8059626185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:11.620732069 CEST5962680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:11.737201929 CEST5962680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:11.737488985 CEST5962780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:11.742552042 CEST8059626185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:11.742629051 CEST5962680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:11.743124962 CEST8059627185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:11.743191004 CEST5962780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:11.743282080 CEST5962780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:11.748330116 CEST8059627185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:12.449009895 CEST8059627185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:12.449162006 CEST5962780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:12.565849066 CEST5962780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:12.566416979 CEST5962880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:12.571099043 CEST8059627185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:12.571165085 CEST5962780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:12.571247101 CEST8059628185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:12.571325064 CEST5962880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:12.571504116 CEST5962880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:12.576323986 CEST8059628185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:13.279896975 CEST8059628185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:13.280081034 CEST5962880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:13.393275023 CEST5962880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:13.393615961 CEST5962980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:13.398488045 CEST8059628185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:13.398566008 CEST8059629185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:13.398583889 CEST5962880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:13.398653984 CEST5962980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:13.398755074 CEST5962980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:13.403546095 CEST8059629185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:14.087120056 CEST8059629185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:14.087196112 CEST5962980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:14.244663954 CEST5962980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:14.245033979 CEST5963080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:14.249933004 CEST8059630185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:14.249973059 CEST8059629185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:14.250020981 CEST5963080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:14.250041962 CEST5962980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:14.253559113 CEST5963080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:14.258460045 CEST8059630185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:14.949316025 CEST8059630185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:14.949400902 CEST5963080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:15.065402985 CEST5963080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:15.065635920 CEST5963180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:15.070492983 CEST8059631185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:15.070583105 CEST5963180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:15.070703983 CEST5963180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:15.070880890 CEST8059630185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:15.070935011 CEST5963080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:15.075541973 CEST8059631185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:15.791690111 CEST8059631185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:15.791853905 CEST5963180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:15.908497095 CEST5963180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:15.908797026 CEST5963280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:16.218699932 CEST5963180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:16.827284098 CEST8059631185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:16.827440023 CEST5963180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:16.828162909 CEST5963180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:16.828388929 CEST8059631185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:16.828440905 CEST5963180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:16.828705072 CEST8059631185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:16.828759909 CEST5963180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:16.834369898 CEST8059632185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:16.834475994 CEST5963280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:16.834683895 CEST5963280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:16.835553885 CEST8059631185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:16.835760117 CEST5963180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:16.835937977 CEST8059631185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:16.838579893 CEST8059631185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:16.839760065 CEST8059632185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:17.536367893 CEST8059632185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:17.536736965 CEST5963280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:17.643389940 CEST5963280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:17.648365021 CEST8059632185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:17.883155107 CEST8059632185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:17.883289099 CEST5963280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:18.002804995 CEST5963280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:18.003175974 CEST5963380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:18.008423090 CEST8059632185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:18.008436918 CEST8059633185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:18.008514881 CEST5963280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:18.008759022 CEST5963380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:18.008759022 CEST5963380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:18.013542891 CEST8059633185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:18.716684103 CEST8059633185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:18.716794968 CEST5963380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:18.830581903 CEST5963380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:18.831167936 CEST5963480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:18.835714102 CEST8059633185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:18.836116076 CEST5963380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:18.836127996 CEST8059634185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:18.836205959 CEST5963480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:18.836477995 CEST5963480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:18.841306925 CEST8059634185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:19.525821924 CEST8059634185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:19.526097059 CEST5963480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:19.643476963 CEST5963480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:19.643783092 CEST5963580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:19.648752928 CEST8059635185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:19.648778915 CEST8059634185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:19.648844957 CEST5963580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:19.648869038 CEST5963480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:19.649010897 CEST5963580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:19.653774023 CEST8059635185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:20.348436117 CEST8059635185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:20.348524094 CEST5963580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:20.455966949 CEST5963580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:20.460784912 CEST8059635185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:20.694567919 CEST8059635185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:20.694652081 CEST5963580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:20.816411018 CEST5963580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:20.817821980 CEST5963680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:20.822735071 CEST8059635185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:20.822809935 CEST5963580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:20.822880030 CEST8059636185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:20.823060989 CEST5963680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:20.825309992 CEST5963680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:20.830064058 CEST8059636185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:21.512216091 CEST8059636185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:21.512748957 CEST5963680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:21.629457951 CEST5963680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:21.629684925 CEST5963780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:21.634593010 CEST8059636185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:21.634799957 CEST5963680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:21.634939909 CEST8059637185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:21.635029078 CEST5963780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:21.635205030 CEST5963780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:21.640081882 CEST8059637185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:22.316485882 CEST8059637185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:22.316562891 CEST5963780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:22.425048113 CEST5963780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:22.429970980 CEST8059637185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:22.659635067 CEST8059637185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:22.659709930 CEST5963780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:22.768269062 CEST5963780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:22.773195982 CEST8059637185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:23.003329039 CEST8059637185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:23.003436089 CEST5963780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:23.112679005 CEST5963780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:23.117449045 CEST8059637185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:23.347242117 CEST8059637185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:23.347524881 CEST5963780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:23.456242085 CEST5963780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:23.461091042 CEST8059637185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:23.692183971 CEST8059637185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:23.692253113 CEST5963780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:23.870857954 CEST5963780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:23.871191025 CEST5963880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:23.876749992 CEST8059637185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:23.876771927 CEST8059638185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:23.876817942 CEST5963780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:23.876880884 CEST5963880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:23.879185915 CEST5963880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:23.884514093 CEST8059638185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:24.553188086 CEST8059638185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:24.553256035 CEST5963880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:24.674496889 CEST5963880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:24.674500942 CEST5963980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:24.679425001 CEST8059639185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:24.679625988 CEST5963980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:24.679676056 CEST5963980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:24.679750919 CEST8059638185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:24.680037975 CEST5963880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:24.684711933 CEST8059639185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:25.372963905 CEST8059639185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:25.374154091 CEST5963980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:25.487207890 CEST5963980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:25.487505913 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:25.493724108 CEST8059639185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:25.493743896 CEST8059640185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:25.493854046 CEST5963980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:25.493944883 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:25.494263887 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:25.499596119 CEST8059640185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:26.174185991 CEST8059640185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:26.174407005 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:26.284487963 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:26.289243937 CEST8059640185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:26.519182920 CEST8059640185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:26.519407034 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:26.627409935 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:26.632256985 CEST8059640185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:26.862298012 CEST8059640185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:26.862448931 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:26.971411943 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:26.976242065 CEST8059640185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:27.206291914 CEST8059640185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:27.206489086 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:27.315592051 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:27.320388079 CEST8059640185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:27.550466061 CEST8059640185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:27.550688028 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:27.659090042 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:27.663914919 CEST8059640185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:27.893903017 CEST8059640185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:27.894076109 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:28.005243063 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:28.010063887 CEST8059640185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:28.240540028 CEST8059640185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:28.240936041 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:28.362554073 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:28.362875938 CEST5964180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:28.367710114 CEST8059641185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:28.367806911 CEST5964180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:28.367888927 CEST5964180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:28.371825933 CEST8059640185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:28.373053074 CEST8059641185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:28.373075008 CEST5964080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:29.068346977 CEST8059641185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:29.068530083 CEST5964180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:29.190448999 CEST5964180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:29.190834045 CEST5964280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:29.402019024 CEST8059642185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:29.402033091 CEST8059641185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:29.402142048 CEST5964180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:29.402142048 CEST5964280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:29.402352095 CEST5964280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:29.408847094 CEST8059642185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:30.094201088 CEST8059642185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:30.094304085 CEST5964280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:30.207859039 CEST5964280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:30.212640047 CEST8059642185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:30.443090916 CEST8059642185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:30.443202019 CEST5964280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:30.685482025 CEST5964280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:30.686002016 CEST5964380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:30.690785885 CEST8059643185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:30.690826893 CEST8059642185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:30.690901995 CEST5964280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:30.690963030 CEST5964380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:30.764048100 CEST5964380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:30.768827915 CEST8059643185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:31.379404068 CEST8059643185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:31.379470110 CEST5964380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:31.487246037 CEST5964380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:31.492062092 CEST8059643185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:31.723624945 CEST8059643185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:31.723778963 CEST5964380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:31.846225977 CEST5964380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:31.846441984 CEST5964480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:31.851253033 CEST8059643185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:31.851402998 CEST5964380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:31.851407051 CEST8059644185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:31.851475000 CEST5964480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:31.851567030 CEST5964480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:31.856569052 CEST8059644185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:32.531266928 CEST8059644185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:32.531358004 CEST5964480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:32.659290075 CEST5964480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:32.659634113 CEST5964580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:32.664544106 CEST8059645185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:32.664650917 CEST5964580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:32.664819956 CEST5964580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:32.664971113 CEST8059644185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:32.665031910 CEST5964480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:32.669651031 CEST8059645185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:33.345192909 CEST8059645185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:33.345283031 CEST5964580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:33.455954075 CEST5964580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:33.460762978 CEST8059645185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:33.690493107 CEST8059645185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:33.690618038 CEST5964580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:33.799693108 CEST5964580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:33.799926043 CEST5964680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:33.804738998 CEST8059645185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:33.804753065 CEST8059646185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:33.804912090 CEST5964580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:33.804940939 CEST5964680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:33.805169106 CEST5964680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:33.809956074 CEST8059646185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:34.484834909 CEST8059646185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:34.484914064 CEST5964680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:34.597603083 CEST5964680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:34.603287935 CEST8059646185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:34.832011938 CEST8059646185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:34.832092047 CEST5964680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:34.956041098 CEST5964680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:34.956239939 CEST5964780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:34.961129904 CEST8059647185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:34.961253881 CEST5964780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:34.961288929 CEST5964780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:34.961584091 CEST8059646185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:34.961637974 CEST5964680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:34.966115952 CEST8059647185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:35.641107082 CEST8059647185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:35.641274929 CEST5964780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:35.839147091 CEST5964780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:35.842880964 CEST5964880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:35.844301939 CEST8059647185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:35.844394922 CEST5964780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:35.847685099 CEST8059648185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:35.847769022 CEST5964880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:35.848969936 CEST5964880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:35.853849888 CEST8059648185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:36.538084030 CEST8059648185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:36.538140059 CEST5964880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:36.659120083 CEST5964880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:36.659581900 CEST5964980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:36.664277077 CEST8059648185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:36.664367914 CEST5964880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:36.664588928 CEST8059649185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:36.664804935 CEST5964980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:36.664804935 CEST5964980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:36.670607090 CEST8059649185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:37.353296041 CEST8059649185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:37.353501081 CEST5964980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:37.474128008 CEST5964980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:37.474411964 CEST5965080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:37.480777025 CEST8059650185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:37.480797052 CEST8059649185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:37.480909109 CEST5964980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:37.480909109 CEST5965080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:37.481076002 CEST5965080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:37.487704992 CEST8059650185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:38.188700914 CEST8059650185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:38.189414978 CEST5965080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:38.299849987 CEST5965080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:38.306102037 CEST8059650185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:38.541460991 CEST8059650185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:38.541651964 CEST5965080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:38.659532070 CEST5965080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:38.659965992 CEST5965180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:38.664840937 CEST8059650185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:38.664869070 CEST8059651185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:38.664933920 CEST5965080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:38.664988041 CEST5965180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:38.665159941 CEST5965180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:38.669986010 CEST8059651185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:39.350745916 CEST8059651185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:39.350925922 CEST5965180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:39.471451044 CEST5965180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:39.471772909 CEST5965280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:39.476666927 CEST8059652185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:39.476743937 CEST5965280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:39.476875067 CEST5965280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:39.477010012 CEST8059651185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:39.477067947 CEST5965180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:39.481704950 CEST8059652185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:40.156712055 CEST8059652185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:40.156888962 CEST5965280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:40.274615049 CEST5965280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:40.279470921 CEST8059652185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:40.509181023 CEST8059652185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:40.509366989 CEST5965280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:40.628117085 CEST5965280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:40.628509998 CEST5965380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:40.633559942 CEST8059652185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:40.633616924 CEST5965280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:40.634273052 CEST8059653185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:40.634349108 CEST5965380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:40.634476900 CEST5965380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:40.639518976 CEST8059653185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:41.324615002 CEST8059653185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:41.324681997 CEST5965380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:41.440296888 CEST5965380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:41.440629959 CEST5965480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:41.445349932 CEST8059653185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:41.445415974 CEST5965380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:41.445784092 CEST8059654185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:41.445852041 CEST5965480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:41.445979118 CEST5965480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:41.450733900 CEST8059654185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:42.126135111 CEST8059654185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:42.126233101 CEST5965480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:42.237283945 CEST5965480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:42.242955923 CEST8059654185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:42.472002029 CEST8059654185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:42.472059011 CEST5965480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:42.581017017 CEST5965480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:42.585884094 CEST8059654185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:42.828283072 CEST8059654185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:42.828522921 CEST5965480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:42.944359064 CEST5965480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:42.944726944 CEST5965580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:42.950119972 CEST8059654185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:42.950220108 CEST5965480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:42.950464964 CEST8059655185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:42.950553894 CEST5965580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:42.950824022 CEST5965580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:42.956654072 CEST8059655185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:43.643450975 CEST8059655185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:43.643599987 CEST5965580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:43.753026962 CEST5965580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:43.757896900 CEST8059655185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:43.988105059 CEST8059655185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:43.988231897 CEST5965580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:44.096805096 CEST5965580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:44.101634979 CEST8059655185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:44.331247091 CEST8059655185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:44.331345081 CEST5965580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:44.440423965 CEST5965580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:44.445195913 CEST8059655185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:44.678543091 CEST8059655185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:44.678740025 CEST5965580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:44.821583986 CEST5965580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:44.821938038 CEST5965680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:44.826745033 CEST8059656185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:44.826761007 CEST8059655185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:44.826817036 CEST5965680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:44.826855898 CEST5965580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:44.830337048 CEST5965680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:44.835191965 CEST8059656185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:45.507030964 CEST8059656185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:45.507143974 CEST5965680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:45.627999067 CEST5965680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:45.628350973 CEST5965780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:45.633097887 CEST8059656185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:45.633274078 CEST8059657185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:45.633297920 CEST5965680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:45.633352995 CEST5965780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:45.633476973 CEST5965780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:45.638258934 CEST8059657185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:46.328454018 CEST8059657185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:46.331990957 CEST5965780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:46.456216097 CEST5965780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:46.456600904 CEST5965880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:46.461416960 CEST8059658185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:46.461684942 CEST8059657185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:46.461766005 CEST5965780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:46.461910963 CEST5965880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:46.461910963 CEST5965880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:46.466795921 CEST8059658185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:47.153296947 CEST8059658185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:47.153383017 CEST5965880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:47.274118900 CEST5965880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:47.274401903 CEST5965980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:47.279417992 CEST8059659185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:47.279429913 CEST8059658185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:47.279489994 CEST5965980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:47.279524088 CEST5965880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:47.284646034 CEST5965980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:47.289747000 CEST8059659185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:47.959098101 CEST8059659185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:47.959220886 CEST5965980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:48.081136942 CEST5965980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:48.081186056 CEST5966080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:48.086091995 CEST8059660185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:48.086266994 CEST5966080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:48.086335897 CEST5966080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:48.086350918 CEST8059659185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:48.086402893 CEST5965980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:48.091382027 CEST8059660185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:48.768367052 CEST8059660185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:48.768707037 CEST5966080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:48.877883911 CEST5966080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:48.878220081 CEST5966180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:48.882927895 CEST8059660185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:48.882967949 CEST8059661185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:48.883119106 CEST5966080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:48.883183956 CEST5966180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:48.883399963 CEST5966180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:48.888117075 CEST8059661185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:49.581882954 CEST8059661185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:49.582073927 CEST5966180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:49.706063032 CEST5966180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:49.706423998 CEST5966280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:49.711272955 CEST8059662185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:49.711348057 CEST8059661185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:49.711389065 CEST5966280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:49.711414099 CEST5966180192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:49.711750984 CEST5966280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:49.716526031 CEST8059662185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:50.394392967 CEST8059662185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:50.394558907 CEST5966280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:50.503012896 CEST5966380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:50.503408909 CEST5966280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:50.508162975 CEST8059663185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:50.508240938 CEST5966380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:50.508429050 CEST5966380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:50.508893013 CEST8059662185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:50.508945942 CEST5966280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:50.513191938 CEST8059663185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:51.207310915 CEST8059663185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:51.207362890 CEST5966380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:51.317759037 CEST5966380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:51.318059921 CEST5966480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:51.322877884 CEST8059664185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:51.322976112 CEST5966480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:51.323774099 CEST5966480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:51.325387955 CEST8059663185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:51.325455904 CEST5966380192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:51.328521013 CEST8059664185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:52.017554045 CEST8059664185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:52.017659903 CEST5966480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:52.145005941 CEST5966480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:52.145390034 CEST5966580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:52.151447058 CEST8059665185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:52.151694059 CEST8059664185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:52.151788950 CEST5966580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:52.151842117 CEST5966480192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:52.151906967 CEST5966580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:52.156841040 CEST8059665185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:52.841253042 CEST8059665185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:52.843624115 CEST5966580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:53.004812002 CEST5966580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:53.005119085 CEST5966680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:53.009887934 CEST8059665185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:53.009906054 CEST8059666185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:53.009962082 CEST5966580192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:53.010005951 CEST5966680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:53.010171890 CEST5966680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:53.014889002 CEST8059666185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:53.689490080 CEST8059666185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:53.689584017 CEST5966680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:53.801822901 CEST5966680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:53.802253962 CEST5966780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:53.807101965 CEST8059666185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:53.807157040 CEST5966680192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:53.807161093 CEST8059667185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:53.807277918 CEST5966780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:53.807399988 CEST5966780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:53.812366962 CEST8059667185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:54.488123894 CEST8059667185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:54.488230944 CEST5966780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:54.598534107 CEST5966780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:54.599227905 CEST5966880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:54.603784084 CEST8059667185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:54.603863001 CEST5966780192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:54.604098082 CEST8059668185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:54.604350090 CEST5966880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:54.604482889 CEST5966880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:54.609424114 CEST8059668185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:55.303401947 CEST8059668185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:55.303481102 CEST5966880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:55.427589893 CEST5966880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:55.428004026 CEST5966980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:55.432831049 CEST8059668185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:55.432910919 CEST5966880192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:55.432939053 CEST8059669185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:55.432996988 CEST5966980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:55.433175087 CEST5966980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:55.437922001 CEST8059669185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:56.112699986 CEST8059669185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:56.113059998 CEST5966980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:56.238959074 CEST5966980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:56.238959074 CEST5967080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:56.244345903 CEST8059670185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:56.244453907 CEST5967080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:56.244607925 CEST5967080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:56.244682074 CEST8059669185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:56.244781971 CEST5966980192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:56.249486923 CEST8059670185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:56.925060987 CEST8059670185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:56.925112009 CEST5967080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:57.037463903 CEST5967080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:57.037969112 CEST5967280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:57.042769909 CEST8059670185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:57.042825937 CEST8059672185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:57.042835951 CEST5967080192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:57.042905092 CEST5967280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:57.043860912 CEST5967280192.168.2.6185.208.158.248
                                                                            Oct 7, 2024 11:23:57.048753023 CEST8059672185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:57.722906113 CEST8059672185.208.158.248192.168.2.6
                                                                            Oct 7, 2024 11:23:57.723175049 CEST5967280192.168.2.6185.208.158.248

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Oct 7, 2024 11:22:08.775305986 CEST5359010162.159.36.2192.168.2.6
                                                                            Oct 7, 2024 11:22:09.245012045 CEST5333753192.168.2.61.1.1.1
                                                                            Oct 7, 2024 11:22:09.252384901 CEST53533371.1.1.1192.168.2.6
                                                                            Oct 7, 2024 11:22:47.632026911 CEST6441753192.168.2.691.211.247.248
                                                                            Oct 7, 2024 11:22:47.827003002 CEST536441791.211.247.248192.168.2.6

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Oct 7, 2024 11:22:09.245012045 CEST192.168.2.61.1.1.10x6142Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                            Oct 7, 2024 11:22:47.632026911 CEST192.168.2.691.211.247.2480x8cffStandard query (0)bfliimi.comA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Oct 7, 2024 11:22:09.252384901 CEST1.1.1.1192.168.2.60x6142Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                            Oct 7, 2024 11:22:47.827003002 CEST91.211.247.248192.168.2.60x8cffNo error (0)bfliimi.com185.208.158.248A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • bfliimi.com

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.659604185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:22:48.275369883 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:22:48.971206903 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:22:48 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.659605185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:22:49.102626085 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:22:49.793174028 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:22:49 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.659606185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:22:49.913760900 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:22:50.605477095 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:22:50 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.659607185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:22:50.727710009 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:22:51.438627958 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:22:51 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:22:51.549252987 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:22:51.789082050 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:22:51 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.659608185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:22:51.914724112 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:22:52.620667934 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:22:52 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.659609185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:22:52.742176056 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:22:53.435962915 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:22:53 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.659610185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:22:53.565001011 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:22:54.250652075 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:22:54 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:22:54.361820936 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:22:54.600018024 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:22:54 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            7192.168.2.659611185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:22:55.038760900 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:22:55.722721100 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:22:55 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:22:55.831315994 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:22:56.066490889 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:22:55 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:22:56.174513102 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:22:56.416848898 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:22:56 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            8192.168.2.659612185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:22:56.539446115 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:22:57.226583958 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:22:57 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            9192.168.2.659613185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:22:57.888284922 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:22:58.598203897 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:22:58 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:22:58.705559015 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:22:58.947726011 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:22:58 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            10192.168.2.659614185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:22:59.078202009 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:22:59.785464048 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:22:59 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:22:59.893404007 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:00.136374950 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:00 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            11192.168.2.659615185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:00.257844925 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:00.948250055 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:00 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            12192.168.2.659616185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:01.071422100 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:01.761616945 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:01 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            13192.168.2.659617185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:01.884012938 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:02.574290991 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:02 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            14192.168.2.659618185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:02.696053028 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:03.402308941 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:03 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            15192.168.2.659619185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:03.526848078 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:04.210405111 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:04 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            16192.168.2.659620185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:04.575417042 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:05.259627104 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:05 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            17192.168.2.659621185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:05.383836985 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:06.082500935 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:05 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            18192.168.2.659622185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:06.323021889 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:07.028770924 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:06 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            19192.168.2.659623185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:07.428416967 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:08.126156092 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:08 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:08.237034082 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:08.472575903 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:08 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:08.580820084 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:08.816448927 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:08 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:08.924525976 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:09.165888071 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:09 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            20192.168.2.659624185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:09.290266037 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:09.991529942 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:09 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            21192.168.2.659625185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:10.117290020 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:10.805923939 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:10 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            22192.168.2.659626185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:10.930772066 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:11.620323896 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:11 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            23192.168.2.659627185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:11.743282080 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:12.449009895 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:12 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            24192.168.2.659628185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:12.571504116 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:13.279896975 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:13 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            25192.168.2.659629185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:13.398755074 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:14.087120056 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:13 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            26192.168.2.659630185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:14.253559113 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:14.949316025 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:14 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            27192.168.2.659631185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:15.070703983 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:15.791690111 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:15 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:16.827284098 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:15 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:16.828388929 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:15 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:16.828705072 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:15 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            28192.168.2.659632185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:16.834683895 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:17.536367893 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:17 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:17.643389940 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:17.883155107 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:17 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            29192.168.2.659633185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:18.008759022 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:18.716684103 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:18 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            30192.168.2.659634185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:18.836477995 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:19.525821924 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:19 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            31192.168.2.659635185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:19.649010897 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:20.348436117 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:20 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:20.455966949 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:20.694567919 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:20 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            32192.168.2.659636185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:20.825309992 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:21.512216091 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:21 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            33192.168.2.659637185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:21.635205030 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:22.316485882 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:22 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:22.425048113 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:22.659635067 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:22 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:22.768269062 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:23.003329039 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:22 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:23.112679005 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:23.347242117 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:23 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:23.456242085 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:23.692183971 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:23 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            34192.168.2.659638185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:23.879185915 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:24.553188086 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:24 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            35192.168.2.659639185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:24.679676056 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:25.372963905 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:25 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            36192.168.2.659640185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:25.494263887 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:26.174185991 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:26 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:26.284487963 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:26.519182920 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:26 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:26.627409935 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:26.862298012 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:26 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:26.971411943 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:27.206291914 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:27 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:27.315592051 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:27.550466061 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:27 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:27.659090042 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:27.893903017 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:27 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:28.005243063 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:28.240540028 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:28 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            37192.168.2.659641185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:28.367888927 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:29.068346977 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:28 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            38192.168.2.659642185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:29.402352095 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:30.094201088 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:29 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:30.207859039 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:30.443090916 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:30 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            39192.168.2.659643185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:30.764048100 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:31.379404068 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:31 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:31.487246037 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:31.723624945 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:31 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            40192.168.2.659644185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:31.851567030 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:32.531266928 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:32 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            41192.168.2.659645185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:32.664819956 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:33.345192909 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:33 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:33.455954075 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:33.690493107 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:33 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            42192.168.2.659646185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:33.805169106 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:34.484834909 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:34 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:34.597603083 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:34.832011938 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:34 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            43192.168.2.659647185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:34.961288929 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:35.641107082 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:35 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            44192.168.2.659648185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:35.848969936 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:36.538084030 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:36 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            45192.168.2.659649185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:36.664804935 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:37.353296041 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:37 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            46192.168.2.659650185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:37.481076002 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:38.188700914 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:38 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:38.299849987 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:38.541460991 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:38 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            47192.168.2.659651185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:38.665159941 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:39.350745916 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:39 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            48192.168.2.659652185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:39.476875067 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:40.156712055 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:40 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:40.274615049 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:40.509181023 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:40 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            49192.168.2.659653185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:40.634476900 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:41.324615002 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:41 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            50192.168.2.659654185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:41.445979118 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:42.126135111 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:42 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:42.237283945 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:42.472002029 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:42 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:42.581017017 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:42.828283072 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:42 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            51192.168.2.659655185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:42.950824022 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:43.643450975 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:43 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:43.753026962 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:43.988105059 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:43 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:44.096805096 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:44.331247091 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:44 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20
                                                                            Oct 7, 2024 11:23:44.440423965 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:44.678543091 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:44 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            52192.168.2.659656185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:44.830337048 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:45.507030964 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:45 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            53192.168.2.659657185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:45.633476973 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:46.328454018 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:46 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            54192.168.2.659658185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:46.461910963 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:47.153296947 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:47 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            55192.168.2.659659185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:47.284646034 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:47.959098101 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:47 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            56192.168.2.659660185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:48.086335897 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:48.768367052 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:48 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            57192.168.2.659661185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:48.883399963 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:49.581882954 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:49 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            58192.168.2.659662185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:49.711750984 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:50.394392967 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:50 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            59192.168.2.659663185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:50.508429050 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:51.207310915 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:51 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            60192.168.2.659664185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:51.323774099 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:52.017554045 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:51 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            61192.168.2.659665185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:52.151906967 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:52.841253042 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:52 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            62192.168.2.659666185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:53.010171890 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:53.689490080 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:53 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            63192.168.2.659667185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:53.807399988 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:54.488123894 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:54 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            64192.168.2.659668185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:54.604482889 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:55.303401947 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:55 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            65192.168.2.659669185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:55.433175087 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:56.112699986 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:56 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            66192.168.2.659670185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:56.244607925 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:56.925060987 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:56 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            67192.168.2.659672185.208.158.248803508C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 7, 2024 11:23:57.043860912 CEST318OUTGET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf713c9ed9c9d3f HTTP/1.1
                                                                            Host: bfliimi.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Oct 7, 2024 11:23:57.722906113 CEST220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Mon, 07 Oct 2024 09:23:57 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e67b680813008c20


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:1
                                                                            Start time:05:21:50
                                                                            Start date:07/10/2024
                                                                            Path:C:\Users\user\Desktop\Ui6sm6N5JG.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\Ui6sm6N5JG.exe"
                                                                            Imagebase:0x400000
                                                                            File size:4'537'644 bytes
                                                                            MD5 hash:4EB0EC18B14F303B5DE820F0A82C747B
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:2
                                                                            Start time:05:21:50
                                                                            Start date:07/10/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-9FR6D.tmp\Ui6sm6N5JG.tmp" /SL5="$203D2,4256353,54272,C:\Users\user\Desktop\Ui6sm6N5JG.exe"
                                                                            Imagebase:0x400000
                                                                            File size:709'120 bytes
                                                                            MD5 hash:C6A64497A14D9C70B36107218E969B1F
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:5
                                                                            Start time:05:21:53
                                                                            Start date:07/10/2024
                                                                            Path:C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Local\Jenny Video Converter\jennyvideoconverter.exe" -i
                                                                            Imagebase:0x400000
                                                                            File size:3'532'288 bytes
                                                                            MD5 hash:DB1B847C721315246794C6FF66CF49AD
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000005.00000002.3720875563.000000000288D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                            Antivirus matches:
                                                                            • Detection: 100%, Avira
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:21.2%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:2.4%
                                                                              Total number of Nodes:1498
                                                                              Total number of Limit Nodes:22
                                                                              execution_graph 4977 409c40 5018 4030dc 4977->5018 4979 409c56 5021 4042e8 4979->5021 4981 409c5b 5024 40457c GetModuleHandleA GetProcAddress 4981->5024 4987 409c6a 5041 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 4987->5041 5004 409d43 5103 4074a0 5004->5103 5006 409d05 5006->5004 5136 409aa0 5006->5136 5007 409d84 5107 407a28 5007->5107 5008 409d69 5008->5007 5009 409aa0 4 API calls 5008->5009 5009->5007 5011 409da9 5117 408b08 5011->5117 5015 409def 5016 408b08 21 API calls 5015->5016 5017 409e28 5015->5017 5016->5015 5146 403094 5018->5146 5020 4030e1 GetModuleHandleA GetCommandLineA 5020->4979 5023 404323 5021->5023 5147 403154 5021->5147 5023->4981 5025 404598 5024->5025 5026 40459f GetProcAddress 5024->5026 5025->5026 5027 4045b5 GetProcAddress 5026->5027 5028 4045ae 5026->5028 5029 4045c4 SetProcessDEPPolicy 5027->5029 5030 4045c8 5027->5030 5028->5027 5029->5030 5031 4065b8 5030->5031 5160 405c98 5031->5160 5040 406604 6F9C1CD0 5040->4987 5042 4090f7 5041->5042 5287 406fa0 SetErrorMode 5042->5287 5047 403198 4 API calls 5048 40913c 5047->5048 5049 409b30 GetSystemInfo VirtualQuery 5048->5049 5050 409be4 5049->5050 5053 409b5a 5049->5053 5055 409768 5050->5055 5051 409bc5 VirtualQuery 5051->5050 5051->5053 5052 409b84 VirtualProtect 5052->5053 5053->5050 5053->5051 5053->5052 5054 409bb3 VirtualProtect 5053->5054 5054->5051 5297 406bd0 GetCommandLineA 5055->5297 5057 409825 5059 4031b8 4 API calls 5057->5059 5058 406c2c 6 API calls 5061 409785 5058->5061 5060 40983f 5059->5060 5063 406c2c 5060->5063 5061->5057 5061->5058 5062 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5061->5062 5062->5061 5064 406c53 GetModuleFileNameA 5063->5064 5065 406c77 GetCommandLineA 5063->5065 5066 403278 4 API calls 5064->5066 5067 406c7c 5065->5067 5068 406c75 5066->5068 5069 406c81 5067->5069 5070 406af0 4 API calls 5067->5070 5073 406c89 5067->5073 5071 406ca4 5068->5071 5072 403198 4 API calls 5069->5072 5070->5067 5074 403198 4 API calls 5071->5074 5072->5073 5075 40322c 4 API calls 5073->5075 5076 406cb9 5074->5076 5075->5071 5077 4031e8 5076->5077 5078 4031ec 5077->5078 5081 4031fc 5077->5081 5080 403254 4 API calls 5078->5080 5078->5081 5079 403228 5083 4074e0 5079->5083 5080->5081 5081->5079 5082 4025ac 4 API calls 5081->5082 5082->5079 5084 4074ea 5083->5084 5318 407576 5084->5318 5321 407578 5084->5321 5085 407516 5086 40752a 5085->5086 5324 40748c GetLastError 5085->5324 5090 409bec FindResourceA 5086->5090 5091 409c01 5090->5091 5092 409c06 SizeofResource 5090->5092 5093 409aa0 4 API calls 5091->5093 5094 409c13 5092->5094 5095 409c18 LoadResource 5092->5095 5093->5092 5098 409aa0 4 API calls 5094->5098 5096 409c26 5095->5096 5097 409c2b LockResource 5095->5097 5099 409aa0 4 API calls 5096->5099 5100 409c37 5097->5100 5101 409c3c 5097->5101 5098->5095 5099->5097 5102 409aa0 4 API calls 5100->5102 5101->5006 5133 407918 5101->5133 5102->5101 5104 4074b4 5103->5104 5105 4074c4 5104->5105 5106 4073ec 20 API calls 5104->5106 5105->5008 5106->5105 5108 407a35 5107->5108 5109 405880 4 API calls 5108->5109 5110 407a89 5108->5110 5109->5110 5111 407918 InterlockedExchange 5110->5111 5112 407a9b 5111->5112 5113 405880 4 API calls 5112->5113 5114 407ab1 5112->5114 5113->5114 5115 407af4 5114->5115 5116 405880 4 API calls 5114->5116 5115->5011 5116->5115 5131 408b39 5117->5131 5132 408b82 5117->5132 5118 407cb8 21 API calls 5118->5131 5119 408bcd 5432 407cb8 5119->5432 5121 407cb8 21 API calls 5121->5132 5123 408be4 5125 4031b8 4 API calls 5123->5125 5124 4034f0 4 API calls 5124->5132 5127 408bfe 5125->5127 5126 403420 4 API calls 5126->5131 5143 404c10 5127->5143 5128 4031e8 4 API calls 5128->5131 5129 403420 4 API calls 5129->5132 5130 4031e8 4 API calls 5130->5132 5131->5118 5131->5126 5131->5128 5131->5132 5423 4034f0 5131->5423 5132->5119 5132->5121 5132->5124 5132->5129 5132->5130 5458 4078c4 5133->5458 5137 409ac1 5136->5137 5138 409aa9 5136->5138 5140 405880 4 API calls 5137->5140 5139 405880 4 API calls 5138->5139 5141 409abb 5139->5141 5142 409ad2 5140->5142 5141->5004 5142->5004 5144 402594 4 API calls 5143->5144 5145 404c1b 5144->5145 5145->5015 5146->5020 5148 403164 5147->5148 5149 40318c TlsGetValue 5147->5149 5148->5023 5150 403196 5149->5150 5151 40316f 5149->5151 5150->5023 5155 40310c 5151->5155 5153 403174 TlsGetValue 5154 403184 5153->5154 5154->5023 5156 403120 LocalAlloc 5155->5156 5157 403116 5155->5157 5158 40313e TlsSetValue 5156->5158 5159 403132 5156->5159 5157->5156 5158->5159 5159->5153 5232 405930 5160->5232 5163 405270 GetSystemDefaultLCID 5165 4052a6 5163->5165 5164 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5164->5165 5165->5164 5166 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5165->5166 5167 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5165->5167 5170 405308 5165->5170 5166->5165 5167->5165 5168 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5168->5170 5169 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5169->5170 5170->5168 5170->5169 5171 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5170->5171 5172 40538b 5170->5172 5171->5170 5265 4031b8 5172->5265 5175 4053b4 GetSystemDefaultLCID 5269 4051fc GetLocaleInfoA 5175->5269 5178 4031e8 4 API calls 5179 4053f4 5178->5179 5180 4051fc 5 API calls 5179->5180 5181 405409 5180->5181 5182 4051fc 5 API calls 5181->5182 5183 40542d 5182->5183 5275 405248 GetLocaleInfoA 5183->5275 5186 405248 GetLocaleInfoA 5187 40545d 5186->5187 5188 4051fc 5 API calls 5187->5188 5189 405477 5188->5189 5190 405248 GetLocaleInfoA 5189->5190 5191 405494 5190->5191 5192 4051fc 5 API calls 5191->5192 5193 4054ae 5192->5193 5194 4031e8 4 API calls 5193->5194 5195 4054bb 5194->5195 5196 4051fc 5 API calls 5195->5196 5197 4054d0 5196->5197 5198 4031e8 4 API calls 5197->5198 5199 4054dd 5198->5199 5200 405248 GetLocaleInfoA 5199->5200 5201 4054eb 5200->5201 5202 4051fc 5 API calls 5201->5202 5203 405505 5202->5203 5204 4031e8 4 API calls 5203->5204 5205 405512 5204->5205 5206 4051fc 5 API calls 5205->5206 5207 405527 5206->5207 5208 4031e8 4 API calls 5207->5208 5209 405534 5208->5209 5210 4051fc 5 API calls 5209->5210 5211 405549 5210->5211 5212 405566 5211->5212 5213 405557 5211->5213 5214 40322c 4 API calls 5212->5214 5283 40322c 5213->5283 5216 405564 5214->5216 5217 4051fc 5 API calls 5216->5217 5218 405588 5217->5218 5219 4055a5 5218->5219 5220 405596 5218->5220 5222 403198 4 API calls 5219->5222 5221 40322c 4 API calls 5220->5221 5223 4055a3 5221->5223 5222->5223 5277 4033b4 5223->5277 5225 4055c7 5226 4033b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5225->5226 5227 4055e1 5226->5227 5228 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5227->5228 5229 4055fb 5228->5229 5230 405ce4 GetVersionExA 5229->5230 5231 405cfb 5230->5231 5231->5040 5233 40593c 5232->5233 5240 404ccc LoadStringA 5233->5240 5236 4031e8 4 API calls 5237 40596d 5236->5237 5243 403198 5237->5243 5247 403278 5240->5247 5244 4031b7 5243->5244 5245 40319e 5243->5245 5244->5163 5245->5244 5261 4025ac 5245->5261 5252 403254 5247->5252 5249 403288 5250 403198 4 API calls 5249->5250 5251 4032a0 5250->5251 5251->5236 5253 403274 5252->5253 5254 403258 5252->5254 5253->5249 5257 402594 5254->5257 5256 403261 5256->5249 5258 402598 5257->5258 5259 4025a2 5257->5259 5258->5259 5260 403154 4 API calls 5258->5260 5259->5256 5259->5259 5260->5259 5262 4025b0 5261->5262 5263 4025ba 5261->5263 5262->5263 5264 403154 4 API calls 5262->5264 5263->5244 5263->5263 5264->5263 5267 4031be 5265->5267 5266 4031e3 5266->5175 5267->5266 5268 4025ac 4 API calls 5267->5268 5268->5267 5270 405223 5269->5270 5271 405235 5269->5271 5272 403278 4 API calls 5270->5272 5273 40322c 4 API calls 5271->5273 5274 405233 5272->5274 5273->5274 5274->5178 5276 405264 5275->5276 5276->5186 5278 4033bc 5277->5278 5279 403254 4 API calls 5278->5279 5280 4033cf 5279->5280 5281 4031e8 4 API calls 5280->5281 5282 4033f7 5281->5282 5285 403230 5283->5285 5284 403252 5284->5216 5285->5284 5286 4025ac 4 API calls 5285->5286 5286->5284 5295 403414 5287->5295 5290 406fee 5291 407284 FormatMessageA 5290->5291 5293 4072aa 5291->5293 5292 403278 4 API calls 5294 4072c7 5292->5294 5293->5292 5294->5047 5296 403418 LoadLibraryA 5295->5296 5296->5290 5304 406af0 5297->5304 5299 406bf3 5300 406c05 5299->5300 5301 406af0 4 API calls 5299->5301 5302 403198 4 API calls 5300->5302 5301->5299 5303 406c1a 5302->5303 5303->5061 5305 406b1c 5304->5305 5306 403278 4 API calls 5305->5306 5307 406b29 5306->5307 5314 403420 5307->5314 5309 406b31 5310 4031e8 4 API calls 5309->5310 5311 406b49 5310->5311 5312 403198 4 API calls 5311->5312 5313 406b6b 5312->5313 5313->5299 5315 403426 5314->5315 5317 403437 5314->5317 5316 403254 4 API calls 5315->5316 5315->5317 5316->5317 5317->5309 5319 407578 5318->5319 5320 4075b7 CreateFileA 5319->5320 5320->5085 5322 403414 5321->5322 5323 4075b7 CreateFileA 5322->5323 5323->5085 5327 4073ec 5324->5327 5328 407284 5 API calls 5327->5328 5329 407414 5328->5329 5330 407434 5329->5330 5336 405184 5329->5336 5339 405880 5330->5339 5333 407443 5334 403198 4 API calls 5333->5334 5335 407460 5334->5335 5335->5086 5343 405198 5336->5343 5340 405887 5339->5340 5341 4031e8 4 API calls 5340->5341 5342 40589f 5341->5342 5342->5333 5344 4051b5 5343->5344 5351 404e48 5344->5351 5347 4051e1 5349 403278 4 API calls 5347->5349 5350 405193 5349->5350 5350->5330 5354 404e63 5351->5354 5352 404e75 5352->5347 5356 404bd4 5352->5356 5354->5352 5359 404f6a 5354->5359 5366 404e3c 5354->5366 5357 405930 5 API calls 5356->5357 5358 404be5 5357->5358 5358->5347 5360 404f7b 5359->5360 5362 404fc9 5359->5362 5360->5362 5363 40504f 5360->5363 5365 404fe7 5362->5365 5369 404de4 5362->5369 5363->5365 5373 404e28 5363->5373 5365->5354 5367 403198 4 API calls 5366->5367 5368 404e46 5367->5368 5368->5354 5370 404df2 5369->5370 5376 404bec 5370->5376 5372 404e20 5372->5362 5389 4039a4 5373->5389 5379 4059a0 5376->5379 5378 404c05 5378->5372 5380 4059ae 5379->5380 5381 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5380->5381 5382 4059d8 5381->5382 5383 405184 19 API calls 5382->5383 5384 4059e6 5383->5384 5385 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5384->5385 5386 4059f1 5385->5386 5387 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5386->5387 5388 405a0b 5387->5388 5388->5378 5390 4039ab 5389->5390 5395 4038b4 5390->5395 5392 4039cb 5393 403198 4 API calls 5392->5393 5394 4039d2 5393->5394 5394->5365 5396 4038d5 5395->5396 5397 4038c8 5395->5397 5399 403934 5396->5399 5400 4038db 5396->5400 5398 403780 6 API calls 5397->5398 5403 4038d0 5398->5403 5401 403993 5399->5401 5402 40393b 5399->5402 5404 4038e1 5400->5404 5405 4038ee 5400->5405 5406 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5401->5406 5407 403941 5402->5407 5408 40394b 5402->5408 5403->5392 5409 403894 6 API calls 5404->5409 5410 403894 6 API calls 5405->5410 5406->5403 5411 403864 9 API calls 5407->5411 5412 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5408->5412 5409->5403 5413 4038fc 5410->5413 5411->5403 5414 40395d 5412->5414 5415 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5413->5415 5417 403864 9 API calls 5414->5417 5416 403917 5415->5416 5419 40374c VariantClear 5416->5419 5418 403976 5417->5418 5421 40374c VariantClear 5418->5421 5420 40392c 5419->5420 5420->5392 5422 40398b 5421->5422 5422->5392 5424 4034fd 5423->5424 5430 40352d 5423->5430 5426 403526 5424->5426 5428 403509 5424->5428 5425 403198 4 API calls 5431 403517 5425->5431 5427 403254 4 API calls 5426->5427 5427->5430 5438 4025c4 5428->5438 5430->5425 5431->5131 5433 407cd3 5432->5433 5437 407cc8 5432->5437 5442 407c5c 5433->5442 5436 405880 4 API calls 5436->5437 5437->5123 5439 4025ca 5438->5439 5440 4025dc 5439->5440 5441 403154 4 API calls 5439->5441 5440->5431 5440->5440 5441->5440 5443 407c70 5442->5443 5444 407caf 5442->5444 5443->5444 5446 407bac 5443->5446 5444->5436 5444->5437 5447 407bb7 5446->5447 5450 407bc8 5446->5450 5448 405880 4 API calls 5447->5448 5448->5450 5449 4074a0 20 API calls 5451 407bdc 5449->5451 5450->5449 5452 4074a0 20 API calls 5451->5452 5453 407bfd 5452->5453 5454 407918 InterlockedExchange 5453->5454 5455 407c12 5454->5455 5456 407c28 5455->5456 5457 405880 4 API calls 5455->5457 5456->5443 5457->5456 5459 4078d6 5458->5459 5460 4078e7 5458->5460 5461 4078db InterlockedExchange 5459->5461 5460->5006 5461->5460 6234 409e47 6235 409e6c 6234->6235 6236 4098f4 15 API calls 6235->6236 6240 409e71 6236->6240 6237 409ec4 6268 4026c4 GetSystemTime 6237->6268 6239 409ec9 6241 409330 32 API calls 6239->6241 6240->6237 6243 408dd8 4 API calls 6240->6243 6242 409ed1 6241->6242 6244 4031e8 4 API calls 6242->6244 6245 409ea0 6243->6245 6246 409ede 6244->6246 6247 409ea8 MessageBoxA 6245->6247 6248 406928 5 API calls 6246->6248 6247->6237 6249 409eb5 6247->6249 6250 409eeb 6248->6250 6251 405854 5 API calls 6249->6251 6252 4066c0 5 API calls 6250->6252 6251->6237 6253 409efb 6252->6253 6254 406638 5 API calls 6253->6254 6255 409f0c 6254->6255 6256 403340 4 API calls 6255->6256 6257 409f1a 6256->6257 6258 4031e8 4 API calls 6257->6258 6259 409f2a 6258->6259 6260 4074e0 23 API calls 6259->6260 6261 409f69 6260->6261 6262 402594 4 API calls 6261->6262 6263 409f89 6262->6263 6264 407a28 5 API calls 6263->6264 6265 409fcb 6264->6265 6266 407cb8 21 API calls 6265->6266 6267 409ff2 6266->6267 6268->6239 6195 407548 6196 407554 CloseHandle 6195->6196 6197 40755d 6195->6197 6196->6197 6647 402b48 RaiseException 6198 407749 6199 4076dc WriteFile 6198->6199 6209 407724 6198->6209 6200 4076e8 6199->6200 6201 4076ef 6199->6201 6202 40748c 21 API calls 6200->6202 6203 407700 6201->6203 6204 4073ec 20 API calls 6201->6204 6202->6201 6204->6203 6205 4077e0 6206 4078db InterlockedExchange 6205->6206 6207 407890 6205->6207 6208 4078e7 6206->6208 6209->6198 6209->6205 6648 40294a 6649 402952 6648->6649 6650 402967 6649->6650 6651 403554 4 API calls 6649->6651 6651->6649 6652 403f4a 6653 403f53 6652->6653 6654 403f5c 6652->6654 6656 403f07 6653->6656 6659 403f09 6656->6659 6658 403f3c 6658->6654 6661 403154 4 API calls 6659->6661 6663 403e9c 6659->6663 6666 403f3d 6659->6666 6679 403e9c 6659->6679 6660 403ecf 6660->6654 6661->6659 6662 403ef2 6665 402674 4 API calls 6662->6665 6663->6658 6663->6662 6668 403ea9 6663->6668 6670 403e8e 6663->6670 6665->6660 6666->6654 6668->6660 6669 402674 4 API calls 6668->6669 6669->6660 6671 403e4c 6670->6671 6672 403e67 6671->6672 6673 403e62 6671->6673 6674 403e7b 6671->6674 6677 403e78 6672->6677 6678 402674 4 API calls 6672->6678 6676 403cc8 4 API calls 6673->6676 6675 402674 4 API calls 6674->6675 6675->6677 6676->6672 6677->6662 6677->6668 6678->6677 6680 403ed7 6679->6680 6686 403ea9 6679->6686 6682 403ef2 6680->6682 6683 403e8e 4 API calls 6680->6683 6681 403ecf 6681->6659 6684 402674 4 API calls 6682->6684 6685 403ee6 6683->6685 6684->6681 6685->6682 6685->6686 6686->6681 6687 402674 4 API calls 6686->6687 6687->6681 6696 405150 6697 405163 6696->6697 6698 404e48 19 API calls 6697->6698 6699 405177 6698->6699 6269 403a52 6270 403a74 6269->6270 6271 403a5a WriteFile 6269->6271 6271->6270 6272 403a78 GetLastError 6271->6272 6272->6270 6273 402654 6274 403154 4 API calls 6273->6274 6275 402614 6274->6275 6276 402632 6275->6276 6277 403154 4 API calls 6275->6277 6276->6276 6277->6276 5644 409e62 5645 409aa0 4 API calls 5644->5645 5646 409e67 5645->5646 5647 409e6c 5646->5647 5747 402f24 5646->5747 5681 4098f4 5647->5681 5650 409e71 5651 409ec4 5650->5651 5752 408dd8 5650->5752 5686 4026c4 GetSystemTime 5651->5686 5653 409ec9 5687 409330 5653->5687 5657 4031e8 4 API calls 5659 409ede 5657->5659 5658 409ea0 5660 409ea8 MessageBoxA 5658->5660 5705 406928 5659->5705 5660->5651 5662 409eb5 5660->5662 5755 405854 5662->5755 5668 409f0c 5732 403340 5668->5732 5670 409f1a 5671 4031e8 4 API calls 5670->5671 5672 409f2a 5671->5672 5673 4074e0 23 API calls 5672->5673 5674 409f69 5673->5674 5675 402594 4 API calls 5674->5675 5676 409f89 5675->5676 5677 407a28 5 API calls 5676->5677 5678 409fcb 5677->5678 5679 407cb8 21 API calls 5678->5679 5680 409ff2 5679->5680 5759 40953c 5681->5759 5686->5653 5696 409350 5687->5696 5690 409375 CreateDirectoryA 5691 4093ed 5690->5691 5692 40937f GetLastError 5690->5692 5693 40322c 4 API calls 5691->5693 5692->5696 5694 4093f7 5693->5694 5697 4031b8 4 API calls 5694->5697 5695 408dd8 4 API calls 5695->5696 5696->5690 5696->5695 5701 407284 5 API calls 5696->5701 5704 405880 4 API calls 5696->5704 5851 406cf4 5696->5851 5874 409224 5696->5874 5893 404c84 5696->5893 5896 408da8 5696->5896 5699 409411 5697->5699 5700 4031b8 4 API calls 5699->5700 5702 40941e 5700->5702 5701->5696 5702->5657 5704->5696 6006 406820 5705->6006 5708 403454 4 API calls 5709 40694a 5708->5709 5710 4066c0 5709->5710 6011 4068e4 5710->6011 5713 4066f0 5715 403340 4 API calls 5713->5715 5714 4066fe 5716 403454 4 API calls 5714->5716 5718 4066fc 5715->5718 5717 406711 5716->5717 5719 403340 4 API calls 5717->5719 5720 403198 4 API calls 5718->5720 5719->5718 5721 406733 5720->5721 5722 406638 5721->5722 5723 406642 5722->5723 5724 406665 5722->5724 6017 406950 5723->6017 5726 40322c 4 API calls 5724->5726 5728 40666e 5726->5728 5727 406649 5727->5724 5729 406654 5727->5729 5728->5668 5730 403340 4 API calls 5729->5730 5731 406662 5730->5731 5731->5668 5733 403344 5732->5733 5734 4033a5 5732->5734 5735 4031e8 5733->5735 5736 40334c 5733->5736 5738 4031fc 5735->5738 5740 403254 4 API calls 5735->5740 5736->5734 5737 40335b 5736->5737 5741 4031e8 4 API calls 5736->5741 5742 403254 4 API calls 5737->5742 5739 403228 5738->5739 5743 4025ac 4 API calls 5738->5743 5739->5670 5740->5738 5741->5737 5744 403375 5742->5744 5743->5739 5745 4031e8 4 API calls 5744->5745 5746 4033a1 5745->5746 5746->5670 5748 403154 4 API calls 5747->5748 5749 402f29 5748->5749 6023 402bcc 5749->6023 5751 402f51 5751->5751 5753 408da8 4 API calls 5752->5753 5754 408df4 5753->5754 5754->5658 5756 405859 5755->5756 5757 405930 5 API calls 5756->5757 5758 40586b 5757->5758 5758->5758 5766 40955b 5759->5766 5760 409590 5763 40959d GetUserDefaultLangID 5760->5763 5767 409592 5760->5767 5761 409594 5777 407024 GetModuleHandleA GetProcAddress 5761->5777 5763->5767 5765 40956f 5771 409884 5765->5771 5766->5760 5766->5761 5766->5765 5767->5765 5768 4095cb GetACP 5767->5768 5769 4095ef 5767->5769 5768->5765 5768->5767 5769->5765 5770 409615 GetACP 5769->5770 5770->5765 5770->5769 5772 40988c 5771->5772 5776 4098c6 5771->5776 5773 403420 4 API calls 5772->5773 5772->5776 5774 4098c0 5773->5774 5835 408e80 5774->5835 5776->5650 5778 407067 5777->5778 5779 40705e 5777->5779 5780 407070 5778->5780 5781 4070a8 5778->5781 5790 403198 4 API calls 5779->5790 5798 406f68 5780->5798 5783 406f68 RegOpenKeyExA 5781->5783 5785 4070c1 5783->5785 5784 407089 5786 4070de 5784->5786 5801 406f5c 5784->5801 5785->5786 5787 406f5c 6 API calls 5785->5787 5788 40322c 4 API calls 5786->5788 5791 4070d5 RegCloseKey 5787->5791 5792 4070eb 5788->5792 5794 407120 5790->5794 5791->5786 5804 4032fc 5792->5804 5796 403198 4 API calls 5794->5796 5797 407128 5796->5797 5797->5767 5799 406f73 5798->5799 5800 406f79 RegOpenKeyExA 5798->5800 5799->5800 5800->5784 5818 406e10 5801->5818 5805 403300 5804->5805 5806 40333f 5804->5806 5807 4031e8 5805->5807 5808 40330a 5805->5808 5806->5779 5814 4031fc 5807->5814 5815 403254 4 API calls 5807->5815 5809 403334 5808->5809 5810 40331d 5808->5810 5813 4034f0 4 API calls 5809->5813 5811 4034f0 4 API calls 5810->5811 5816 403322 5811->5816 5812 403228 5812->5779 5813->5816 5814->5812 5817 4025ac 4 API calls 5814->5817 5815->5814 5816->5779 5817->5812 5819 406e36 RegQueryValueExA 5818->5819 5820 406e59 5819->5820 5825 406e7b 5819->5825 5821 406e73 5820->5821 5820->5825 5826 403278 4 API calls 5820->5826 5827 403420 4 API calls 5820->5827 5823 403198 4 API calls 5821->5823 5822 403198 4 API calls 5824 406f47 RegCloseKey 5822->5824 5823->5825 5824->5786 5825->5822 5826->5820 5828 406eb0 RegQueryValueExA 5827->5828 5828->5819 5829 406ecc 5828->5829 5829->5825 5830 4034f0 4 API calls 5829->5830 5831 406f0e 5830->5831 5832 406f20 5831->5832 5834 403420 4 API calls 5831->5834 5833 4031e8 4 API calls 5832->5833 5833->5825 5834->5832 5836 408e8e 5835->5836 5838 408ea6 5836->5838 5848 408e18 5836->5848 5839 408e18 4 API calls 5838->5839 5840 408eca 5838->5840 5839->5840 5841 407918 InterlockedExchange 5840->5841 5842 408ee5 5841->5842 5843 408e18 4 API calls 5842->5843 5845 408ef8 5842->5845 5843->5845 5844 408e18 4 API calls 5844->5845 5845->5844 5846 403278 4 API calls 5845->5846 5847 408f27 5845->5847 5846->5845 5847->5776 5849 405880 4 API calls 5848->5849 5850 408e29 5849->5850 5850->5838 5900 406a58 5851->5900 5854 406d26 5856 406a58 5 API calls 5854->5856 5858 406d72 5854->5858 5857 406d36 5856->5857 5859 406d42 5857->5859 5861 406a34 7 API calls 5857->5861 5908 406888 5858->5908 5859->5858 5864 406a58 5 API calls 5859->5864 5870 406d67 5859->5870 5861->5859 5866 406d5b 5864->5866 5865 406638 5 API calls 5867 406d87 5865->5867 5868 406a34 7 API calls 5866->5868 5866->5870 5869 40322c 4 API calls 5867->5869 5868->5870 5871 406d91 5869->5871 5870->5858 5920 406cc8 GetWindowsDirectoryA 5870->5920 5872 4031b8 4 API calls 5871->5872 5873 406dab 5872->5873 5873->5696 5875 409244 5874->5875 5876 406638 5 API calls 5875->5876 5877 40925d 5876->5877 5878 40322c 4 API calls 5877->5878 5879 409268 5878->5879 5881 406978 6 API calls 5879->5881 5882 4033b4 4 API calls 5879->5882 5883 408dd8 4 API calls 5879->5883 5885 405880 4 API calls 5879->5885 5886 4092e4 5879->5886 5960 4091b0 5879->5960 5968 409034 5879->5968 5881->5879 5882->5879 5883->5879 5885->5879 5887 40322c 4 API calls 5886->5887 5888 4092ef 5887->5888 5889 4031b8 4 API calls 5888->5889 5890 409309 5889->5890 5891 403198 4 API calls 5890->5891 5892 409311 5891->5892 5892->5696 5894 405198 19 API calls 5893->5894 5895 404ca2 5894->5895 5895->5696 5897 408dc8 5896->5897 5996 408c80 5897->5996 5901 4034f0 4 API calls 5900->5901 5902 406a6b 5901->5902 5903 406a82 GetEnvironmentVariableA 5902->5903 5907 406a95 5902->5907 5922 406dec 5902->5922 5903->5902 5904 406a8e 5903->5904 5905 403198 4 API calls 5904->5905 5905->5907 5907->5854 5917 406a34 5907->5917 5909 403414 5908->5909 5910 4068ab GetFullPathNameA 5909->5910 5911 4068b7 5910->5911 5912 4068ce 5910->5912 5911->5912 5913 4068bf 5911->5913 5914 40322c 4 API calls 5912->5914 5915 403278 4 API calls 5913->5915 5916 4068cc 5914->5916 5915->5916 5916->5865 5926 4069dc 5917->5926 5921 406ce9 5920->5921 5921->5858 5923 406dfa 5922->5923 5924 4034f0 4 API calls 5923->5924 5925 406e08 5924->5925 5925->5902 5933 406978 5926->5933 5928 4069fe 5929 406a06 GetFileAttributesA 5928->5929 5930 406a1b 5929->5930 5931 403198 4 API calls 5930->5931 5932 406a23 5931->5932 5932->5854 5943 406744 5933->5943 5935 4069b0 5938 4069c6 5935->5938 5939 4069bb 5935->5939 5937 406989 5937->5935 5950 406970 CharPrevA 5937->5950 5951 403454 5938->5951 5940 40322c 4 API calls 5939->5940 5942 4069c4 5940->5942 5942->5928 5946 406755 5943->5946 5944 4067b9 5945 406680 IsDBCSLeadByte 5944->5945 5947 4067b4 5944->5947 5945->5947 5946->5944 5948 406773 5946->5948 5947->5937 5948->5947 5958 406680 IsDBCSLeadByte 5948->5958 5950->5937 5952 403486 5951->5952 5953 403459 5951->5953 5954 403198 4 API calls 5952->5954 5953->5952 5956 40346d 5953->5956 5955 40347c 5954->5955 5955->5942 5957 403278 4 API calls 5956->5957 5957->5955 5959 406694 5958->5959 5959->5948 5961 403198 4 API calls 5960->5961 5963 4091d1 5961->5963 5965 4091fe 5963->5965 5977 4032a8 5963->5977 5980 403494 5963->5980 5966 403198 4 API calls 5965->5966 5967 409213 5966->5967 5967->5879 5984 408f70 5968->5984 5970 40904a 5971 40904e 5970->5971 5990 406a48 5970->5990 5971->5879 5974 409081 5993 408fac 5974->5993 5978 403278 4 API calls 5977->5978 5979 4032b5 5978->5979 5979->5963 5981 403498 5980->5981 5983 4034c3 5980->5983 5982 4034f0 4 API calls 5981->5982 5982->5983 5983->5963 5985 408f7a 5984->5985 5986 408f7e 5984->5986 5985->5970 5987 408fa0 SetLastError 5986->5987 5988 408f87 Wow64DisableWow64FsRedirection 5986->5988 5989 408f9b 5987->5989 5988->5989 5989->5970 5991 4069dc 7 API calls 5990->5991 5992 406a52 GetLastError 5991->5992 5992->5974 5994 408fb1 Wow64RevertWow64FsRedirection 5993->5994 5995 408fbb 5993->5995 5994->5995 5995->5879 5997 403198 4 API calls 5996->5997 6003 408cb1 5996->6003 5997->6003 5998 408cdc 5999 4031b8 4 API calls 5998->5999 6001 408d69 5999->6001 6000 408cc8 6004 4032fc 4 API calls 6000->6004 6001->5696 6002 403278 4 API calls 6002->6003 6003->5998 6003->6000 6003->6002 6005 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6003->6005 6004->5998 6005->6003 6007 406744 IsDBCSLeadByte 6006->6007 6009 406835 6007->6009 6008 40687f 6008->5708 6009->6008 6010 406680 IsDBCSLeadByte 6009->6010 6010->6009 6012 4068f3 6011->6012 6013 406820 IsDBCSLeadByte 6012->6013 6015 4068fe 6013->6015 6014 4066ea 6014->5713 6014->5714 6015->6014 6016 406680 IsDBCSLeadByte 6015->6016 6016->6015 6018 406957 6017->6018 6019 40695b 6017->6019 6018->5727 6022 406970 CharPrevA 6019->6022 6021 40696c 6021->5727 6022->6021 6024 402bd5 RaiseException 6023->6024 6025 402be6 6023->6025 6024->6025 6025->5751 6278 402e64 6279 402e69 6278->6279 6280 402e7a RtlUnwind 6279->6280 6281 402e5e 6279->6281 6282 402e9d 6280->6282 6299 40667c IsDBCSLeadByte 6300 406694 6299->6300 6712 403f7d 6713 403fa2 6712->6713 6716 403f84 6712->6716 6715 403e8e 4 API calls 6713->6715 6713->6716 6714 403f8c 6715->6716 6716->6714 6717 402674 4 API calls 6716->6717 6718 403fca 6717->6718 6725 403d02 6732 403d12 6725->6732 6726 403ddf ExitProcess 6727 403db8 6729 403cc8 4 API calls 6727->6729 6728 403dea 6730 403dc2 6729->6730 6731 403cc8 4 API calls 6730->6731 6733 403dcc 6731->6733 6732->6726 6732->6727 6732->6728 6732->6732 6735 403da4 6732->6735 6736 403d8f MessageBoxA 6732->6736 6745 4019dc 6733->6745 6741 403fe4 6735->6741 6736->6727 6738 403dd1 6738->6726 6738->6728 6742 403fe8 6741->6742 6743 403f07 4 API calls 6742->6743 6744 404006 6743->6744 6746 401abb 6745->6746 6747 4019ed 6745->6747 6746->6738 6748 401a04 RtlEnterCriticalSection 6747->6748 6749 401a0e LocalFree 6747->6749 6748->6749 6750 401a41 6749->6750 6751 401a2f VirtualFree 6750->6751 6752 401a49 6750->6752 6751->6750 6753 401a70 LocalFree 6752->6753 6754 401a87 6752->6754 6753->6753 6753->6754 6755 401aa9 RtlDeleteCriticalSection 6754->6755 6756 401a9f RtlLeaveCriticalSection 6754->6756 6755->6738 6756->6755 6309 404206 6310 40420a 6309->6310 6311 4041cc 6309->6311 6312 404282 6310->6312 6313 403154 4 API calls 6310->6313 6314 404323 6313->6314 6315 402c08 6318 402c82 6315->6318 6319 402c19 6315->6319 6316 402c56 RtlUnwind 6317 403154 4 API calls 6316->6317 6317->6318 6319->6316 6319->6318 6322 402b28 6319->6322 6323 402b31 RaiseException 6322->6323 6324 402b47 6322->6324 6323->6324 6324->6316 6325 408c10 6326 408c17 6325->6326 6327 403198 4 API calls 6326->6327 6335 408cb1 6327->6335 6328 408cdc 6329 4031b8 4 API calls 6328->6329 6331 408d69 6329->6331 6330 408cc8 6333 4032fc 4 API calls 6330->6333 6332 403278 4 API calls 6332->6335 6333->6328 6334 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6334->6335 6335->6328 6335->6330 6335->6332 6335->6334 6336 40a011 6337 40a036 6336->6337 6338 407918 InterlockedExchange 6337->6338 6340 40a060 6338->6340 6339 40a070 6346 4076ac SetEndOfFile 6339->6346 6340->6339 6341 409aa0 4 API calls 6340->6341 6341->6339 6343 40a08c 6344 4025ac 4 API calls 6343->6344 6345 40a0c3 6344->6345 6347 4076c3 6346->6347 6348 4076bc 6346->6348 6347->6343 6349 40748c 21 API calls 6348->6349 6349->6347 6761 409916 6762 409918 6761->6762 6763 40993a 6762->6763 6764 409956 CallWindowProcA 6762->6764 6764->6763 6077 407017 6078 407008 SetErrorMode 6077->6078 6354 403018 6355 403070 6354->6355 6356 403025 6354->6356 6357 40302a RtlUnwind 6356->6357 6358 40304e 6357->6358 6360 402f78 6358->6360 6361 402be8 6358->6361 6362 402bf1 RaiseException 6361->6362 6363 402c04 6361->6363 6362->6363 6363->6355 6771 409918 6772 409927 6771->6772 6773 40993a 6771->6773 6772->6773 6774 409956 CallWindowProcA 6772->6774 6774->6773 6368 40901e 6369 409010 6368->6369 6370 408fac Wow64RevertWow64FsRedirection 6369->6370 6371 409018 6370->6371 6372 409020 SetLastError 6373 409029 6372->6373 6384 403a28 ReadFile 6385 403a46 6384->6385 6386 403a49 GetLastError 6384->6386 6215 40762c ReadFile 6216 407663 6215->6216 6217 40764c 6215->6217 6218 407652 GetLastError 6217->6218 6219 40765c 6217->6219 6218->6216 6218->6219 6220 40748c 21 API calls 6219->6220 6220->6216 6391 40a02c 6392 409aa0 4 API calls 6391->6392 6393 40a031 6392->6393 6394 40a036 6393->6394 6395 402f24 5 API calls 6393->6395 6396 407918 InterlockedExchange 6394->6396 6395->6394 6397 40a060 6396->6397 6398 40a070 6397->6398 6399 409aa0 4 API calls 6397->6399 6400 4076ac 22 API calls 6398->6400 6399->6398 6401 40a08c 6400->6401 6402 4025ac 4 API calls 6401->6402 6403 40a0c3 6402->6403 6775 40712e 6776 407118 6775->6776 6777 403198 4 API calls 6776->6777 6778 407120 6777->6778 6779 403198 4 API calls 6778->6779 6780 407128 6779->6780 6781 408f30 6784 408dfc 6781->6784 6785 408e05 6784->6785 6786 403198 4 API calls 6785->6786 6787 408e13 6785->6787 6786->6785 6788 403932 6789 403924 6788->6789 6792 40374c 6789->6792 6791 40392c 6793 403766 6792->6793 6794 403759 6792->6794 6793->6791 6794->6793 6795 403779 VariantClear 6794->6795 6795->6791 6026 4075c4 SetFilePointer 6027 4075f7 6026->6027 6028 4075e7 GetLastError 6026->6028 6028->6027 6029 4075f0 6028->6029 6030 40748c 21 API calls 6029->6030 6030->6027 6404 405ac4 6405 405ad4 6404->6405 6406 405acc 6404->6406 6407 405ad2 6406->6407 6408 405adb 6406->6408 6411 405a3c 6407->6411 6409 405930 5 API calls 6408->6409 6409->6405 6417 405a44 6411->6417 6412 405a5e 6414 405a63 6412->6414 6415 405a7a 6412->6415 6413 403154 4 API calls 6413->6417 6418 405930 5 API calls 6414->6418 6416 403154 4 API calls 6415->6416 6419 405a7f 6416->6419 6417->6412 6417->6413 6420 405a76 6418->6420 6421 4059a0 19 API calls 6419->6421 6422 403154 4 API calls 6420->6422 6421->6420 6423 405aa8 6422->6423 6424 403154 4 API calls 6423->6424 6425 405ab6 6424->6425 6425->6405 6426 4076c8 WriteFile 6427 4076e8 6426->6427 6428 4076ef 6426->6428 6429 40748c 21 API calls 6427->6429 6430 407700 6428->6430 6431 4073ec 20 API calls 6428->6431 6429->6428 6431->6430 6432 40a2ca 6441 4096fc 6432->6441 6435 402f24 5 API calls 6436 40a2d4 6435->6436 6437 403198 4 API calls 6436->6437 6438 40a2f3 6437->6438 6439 403198 4 API calls 6438->6439 6440 40a2fb 6439->6440 6450 40569c 6441->6450 6443 409745 6446 403198 4 API calls 6443->6446 6444 409717 6444->6443 6456 40720c 6444->6456 6448 40975a 6446->6448 6447 409735 6449 40973d MessageBoxA 6447->6449 6448->6435 6449->6443 6451 403154 4 API calls 6450->6451 6453 4056a1 6451->6453 6452 4056b9 6452->6444 6453->6452 6454 403154 4 API calls 6453->6454 6455 4056af 6454->6455 6455->6444 6457 40569c 4 API calls 6456->6457 6458 40721b 6457->6458 6459 407221 6458->6459 6460 40722f 6458->6460 6461 40322c 4 API calls 6459->6461 6463 40723f 6460->6463 6465 40724b 6460->6465 6462 40722d 6461->6462 6462->6447 6467 4071d0 6463->6467 6474 4032b8 6465->6474 6468 40322c 4 API calls 6467->6468 6469 4071df 6468->6469 6470 4071fc 6469->6470 6471 406950 CharPrevA 6469->6471 6470->6462 6472 4071eb 6471->6472 6472->6470 6473 4032fc 4 API calls 6472->6473 6473->6470 6475 403278 4 API calls 6474->6475 6476 4032c2 6475->6476 6476->6462 6477 402ccc 6478 402cdd 6477->6478 6482 402cfe 6477->6482 6479 402d88 RtlUnwind 6478->6479 6481 402b28 RaiseException 6478->6481 6478->6482 6480 403154 4 API calls 6479->6480 6480->6482 6483 402d7f 6481->6483 6483->6479 6804 403fcd 6805 403f07 4 API calls 6804->6805 6806 403fd6 6805->6806 6807 403e9c 4 API calls 6806->6807 6808 403fe2 6807->6808 5462 4024d0 5463 4024e4 5462->5463 5464 4024f7 5462->5464 5501 401918 RtlInitializeCriticalSection 5463->5501 5466 402518 5464->5466 5467 40250e RtlEnterCriticalSection 5464->5467 5478 402300 5466->5478 5467->5466 5470 4024ed 5472 402525 5475 402581 5472->5475 5476 402577 RtlLeaveCriticalSection 5472->5476 5474 402531 5474->5472 5508 40215c 5474->5508 5476->5475 5479 402314 5478->5479 5480 402335 5479->5480 5481 4023b8 5479->5481 5483 402344 5480->5483 5522 401b74 5480->5522 5481->5483 5486 402455 5481->5486 5525 401d80 5481->5525 5533 401e84 5481->5533 5483->5472 5488 401fd4 5483->5488 5486->5483 5529 401d00 5486->5529 5489 401fe8 5488->5489 5490 401ffb 5488->5490 5491 401918 4 API calls 5489->5491 5492 402012 RtlEnterCriticalSection 5490->5492 5495 40201c 5490->5495 5493 401fed 5491->5493 5492->5495 5493->5490 5494 401ff1 5493->5494 5498 402052 5494->5498 5495->5498 5615 401ee0 5495->5615 5498->5474 5499 402147 5499->5474 5500 40213d RtlLeaveCriticalSection 5500->5499 5502 40193c RtlEnterCriticalSection 5501->5502 5503 401946 5501->5503 5502->5503 5504 401964 LocalAlloc 5503->5504 5505 40197e 5504->5505 5506 4019c3 RtlLeaveCriticalSection 5505->5506 5507 4019cd 5505->5507 5506->5507 5507->5464 5507->5470 5509 40217a 5508->5509 5510 402175 5508->5510 5511 4021ab RtlEnterCriticalSection 5509->5511 5514 4021b5 5509->5514 5518 40217e 5509->5518 5512 401918 4 API calls 5510->5512 5511->5514 5512->5509 5513 4021c1 5516 4022e3 RtlLeaveCriticalSection 5513->5516 5517 4022ed 5513->5517 5514->5513 5515 402244 5514->5515 5520 402270 5514->5520 5515->5518 5519 401d80 7 API calls 5515->5519 5516->5517 5517->5472 5518->5472 5519->5518 5520->5513 5521 401d00 7 API calls 5520->5521 5521->5513 5523 40215c 9 API calls 5522->5523 5524 401b95 5523->5524 5524->5483 5526 401d92 5525->5526 5527 401d89 5525->5527 5526->5481 5527->5526 5528 401b74 9 API calls 5527->5528 5528->5526 5530 401d1e 5529->5530 5531 401d4e 5529->5531 5530->5483 5531->5530 5538 401c68 5531->5538 5593 401768 5533->5593 5535 401e99 5536 401ea6 5535->5536 5604 401dcc 5535->5604 5536->5481 5539 401c7a 5538->5539 5540 401c9d 5539->5540 5541 401caf 5539->5541 5551 40188c 5540->5551 5542 40188c 3 API calls 5541->5542 5544 401cad 5542->5544 5545 401cc5 5544->5545 5561 401b44 5544->5561 5545->5530 5547 401cd4 5548 401cee 5547->5548 5566 401b98 5547->5566 5571 4013a0 5548->5571 5552 4018b2 5551->5552 5560 40190b 5551->5560 5575 401658 5552->5575 5557 4018e6 5559 4013a0 LocalAlloc 5557->5559 5557->5560 5559->5560 5560->5544 5562 401b52 5561->5562 5564 401b61 5561->5564 5563 401d00 9 API calls 5562->5563 5565 401b5f 5563->5565 5564->5547 5565->5547 5567 401bab 5566->5567 5568 401b9d 5566->5568 5567->5548 5569 401b74 9 API calls 5568->5569 5570 401baa 5569->5570 5570->5548 5572 4013ab 5571->5572 5573 4013c6 5572->5573 5574 4012e4 LocalAlloc 5572->5574 5573->5545 5574->5573 5578 40168f 5575->5578 5576 4016cf 5579 40132c 5576->5579 5577 4016a9 VirtualFree 5577->5578 5578->5576 5578->5577 5580 401348 5579->5580 5587 4012e4 5580->5587 5583 40150c 5585 40153b 5583->5585 5584 401594 5584->5557 5585->5584 5586 401568 VirtualFree 5585->5586 5586->5585 5590 40128c 5587->5590 5591 401298 LocalAlloc 5590->5591 5592 4012aa 5590->5592 5591->5592 5592->5557 5592->5583 5594 401787 5593->5594 5595 40183b 5594->5595 5596 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5594->5596 5597 40132c LocalAlloc 5594->5597 5599 401821 5594->5599 5602 4017d6 5594->5602 5600 4017e7 5595->5600 5611 4015c4 5595->5611 5596->5594 5597->5594 5601 40150c VirtualFree 5599->5601 5600->5535 5601->5600 5603 40150c VirtualFree 5602->5603 5603->5600 5605 401d80 9 API calls 5604->5605 5606 401de0 5605->5606 5607 40132c LocalAlloc 5606->5607 5608 401df0 5607->5608 5609 401b44 9 API calls 5608->5609 5610 401df8 5608->5610 5609->5610 5610->5536 5612 40160a 5611->5612 5613 401626 VirtualAlloc 5612->5613 5614 40163a 5612->5614 5613->5612 5613->5614 5614->5600 5616 401ef0 5615->5616 5617 401f1c 5616->5617 5620 401f40 5616->5620 5621 401e58 5616->5621 5618 401d00 9 API calls 5617->5618 5617->5620 5618->5620 5620->5499 5620->5500 5626 4016d8 5621->5626 5624 401dcc 9 API calls 5625 401e75 5624->5625 5625->5616 5632 4016f4 5626->5632 5628 4016fe 5629 4015c4 VirtualAlloc 5628->5629 5634 40170a 5629->5634 5630 40175b 5630->5624 5630->5625 5631 40132c LocalAlloc 5631->5632 5632->5628 5632->5630 5632->5631 5633 40174f 5632->5633 5636 401430 5632->5636 5635 40150c VirtualFree 5633->5635 5634->5630 5635->5630 5637 40143f VirtualAlloc 5636->5637 5639 40146c 5637->5639 5640 40148f 5637->5640 5641 4012e4 LocalAlloc 5639->5641 5640->5632 5642 401478 5641->5642 5642->5640 5643 40147c VirtualFree 5642->5643 5643->5640 6484 4028d2 6485 4028da 6484->6485 6486 403554 4 API calls 6485->6486 6487 4028ef 6485->6487 6486->6485 6488 4025ac 4 API calls 6487->6488 6489 4028f4 6488->6489 6809 4019d3 6810 4019ba 6809->6810 6811 4019c3 RtlLeaveCriticalSection 6810->6811 6812 4019cd 6810->6812 6811->6812 6031 407fd4 6032 407fe6 6031->6032 6034 407fed 6031->6034 6042 407f10 6032->6042 6036 408015 6034->6036 6037 408017 6034->6037 6040 408021 6034->6040 6035 40804e 6056 407e2c 6036->6056 6053 407d7c 6037->6053 6038 407d7c 19 API calls 6038->6035 6040->6035 6040->6038 6043 407f25 6042->6043 6044 407d7c 19 API calls 6043->6044 6045 407f34 6043->6045 6044->6045 6046 407d7c 19 API calls 6045->6046 6048 407f6e 6045->6048 6046->6048 6047 407f82 6052 407fae 6047->6052 6063 407eb8 6047->6063 6048->6047 6049 407d7c 19 API calls 6048->6049 6049->6047 6052->6034 6066 4058b4 6053->6066 6055 407d9e 6055->6040 6057 405184 19 API calls 6056->6057 6058 407e57 6057->6058 6074 407de4 6058->6074 6060 407e5f 6061 403198 4 API calls 6060->6061 6062 407e74 6061->6062 6062->6040 6064 407ec7 VirtualFree 6063->6064 6065 407ed9 VirtualAlloc 6063->6065 6064->6065 6065->6052 6067 4058c0 6066->6067 6068 405184 19 API calls 6067->6068 6069 4058ed 6068->6069 6070 4031e8 4 API calls 6069->6070 6071 4058f8 6070->6071 6072 403198 4 API calls 6071->6072 6073 40590d 6072->6073 6073->6055 6075 4058b4 19 API calls 6074->6075 6076 407e06 6075->6076 6076->6060 6494 40a0d5 6495 40a105 6494->6495 6496 40a10f CreateWindowExA SetWindowLongA 6495->6496 6497 405184 19 API calls 6496->6497 6498 40a192 6497->6498 6499 4032fc 4 API calls 6498->6499 6500 40a1a0 6499->6500 6501 4032fc 4 API calls 6500->6501 6502 40a1ad 6501->6502 6503 406b7c 5 API calls 6502->6503 6504 40a1b9 6503->6504 6505 4032fc 4 API calls 6504->6505 6506 40a1c2 6505->6506 6507 4099a4 29 API calls 6506->6507 6508 40a1d4 6507->6508 6509 409884 5 API calls 6508->6509 6510 40a1e7 6508->6510 6509->6510 6511 40a220 6510->6511 6512 4094d8 9 API calls 6510->6512 6513 40a239 6511->6513 6516 40a233 RemoveDirectoryA 6511->6516 6512->6511 6514 40a242 73EA5CF0 6513->6514 6515 40a24d 6513->6515 6514->6515 6517 40a275 6515->6517 6518 40357c 4 API calls 6515->6518 6516->6513 6519 40a26b 6518->6519 6520 4025ac 4 API calls 6519->6520 6520->6517 6079 40a0e7 6080 40a0eb SetLastError 6079->6080 6111 409648 GetLastError 6080->6111 6083 40a105 6085 40a10f CreateWindowExA SetWindowLongA 6083->6085 6084 402f24 5 API calls 6084->6083 6086 405184 19 API calls 6085->6086 6087 40a192 6086->6087 6088 4032fc 4 API calls 6087->6088 6089 40a1a0 6088->6089 6090 4032fc 4 API calls 6089->6090 6091 40a1ad 6090->6091 6124 406b7c GetCommandLineA 6091->6124 6094 4032fc 4 API calls 6095 40a1c2 6094->6095 6129 4099a4 6095->6129 6098 409884 5 API calls 6099 40a1e7 6098->6099 6100 40a220 6099->6100 6101 40a207 6099->6101 6103 40a239 6100->6103 6106 40a233 RemoveDirectoryA 6100->6106 6145 4094d8 6101->6145 6104 40a242 73EA5CF0 6103->6104 6105 40a24d 6103->6105 6104->6105 6107 40a275 6105->6107 6153 40357c 6105->6153 6106->6103 6109 40a26b 6110 4025ac 4 API calls 6109->6110 6110->6107 6112 404c84 19 API calls 6111->6112 6113 40968f 6112->6113 6114 407284 5 API calls 6113->6114 6115 40969f 6114->6115 6116 408da8 4 API calls 6115->6116 6117 4096b4 6116->6117 6118 405880 4 API calls 6117->6118 6119 4096c3 6118->6119 6120 4031b8 4 API calls 6119->6120 6121 4096e2 6120->6121 6122 403198 4 API calls 6121->6122 6123 4096ea 6122->6123 6123->6083 6123->6084 6125 406af0 4 API calls 6124->6125 6126 406ba1 6125->6126 6127 403198 4 API calls 6126->6127 6128 406bbf 6127->6128 6128->6094 6130 4033b4 4 API calls 6129->6130 6131 4099df 6130->6131 6132 409a11 CreateProcessA 6131->6132 6133 409a24 CloseHandle 6132->6133 6134 409a1d 6132->6134 6136 409a2d 6133->6136 6135 409648 21 API calls 6134->6135 6135->6133 6166 409978 6136->6166 6139 409a49 6140 409978 3 API calls 6139->6140 6141 409a4e GetExitCodeProcess CloseHandle 6140->6141 6142 409a6e 6141->6142 6143 403198 4 API calls 6142->6143 6144 409a76 6143->6144 6144->6098 6144->6099 6146 409532 6145->6146 6147 4094eb 6145->6147 6146->6100 6147->6146 6148 4094f3 Sleep 6147->6148 6149 409503 Sleep 6147->6149 6151 40951a GetLastError 6147->6151 6170 408fbc 6147->6170 6148->6147 6149->6147 6151->6146 6152 409524 GetLastError 6151->6152 6152->6146 6152->6147 6154 403591 6153->6154 6162 4035a0 6153->6162 6158 4035d0 6154->6158 6159 40359b 6154->6159 6161 4035b6 6154->6161 6155 4035b1 6160 403198 4 API calls 6155->6160 6156 4035b8 6157 4031b8 4 API calls 6156->6157 6157->6161 6158->6161 6164 40357c 4 API calls 6158->6164 6159->6162 6163 4035ec 6159->6163 6160->6161 6161->6109 6162->6155 6162->6156 6163->6161 6178 403554 6163->6178 6164->6158 6167 40998c PeekMessageA 6166->6167 6168 409980 TranslateMessage DispatchMessageA 6167->6168 6169 40999e MsgWaitForMultipleObjects 6167->6169 6168->6167 6169->6136 6169->6139 6171 408f70 2 API calls 6170->6171 6172 408fd2 6171->6172 6173 408fd6 6172->6173 6174 408ff2 DeleteFileA GetLastError 6172->6174 6173->6147 6175 409010 6174->6175 6176 408fac Wow64RevertWow64FsRedirection 6175->6176 6177 409018 6176->6177 6177->6147 6179 403566 6178->6179 6181 403578 6179->6181 6182 403604 6179->6182 6181->6163 6184 40357c 6182->6184 6183 4035a0 6185 4035b1 6183->6185 6186 4035b8 6183->6186 6184->6183 6188 4035d0 6184->6188 6189 40359b 6184->6189 6191 4035b6 6184->6191 6190 403198 4 API calls 6185->6190 6187 4031b8 4 API calls 6186->6187 6187->6191 6188->6191 6193 40357c 4 API calls 6188->6193 6189->6183 6192 4035ec 6189->6192 6190->6191 6191->6179 6192->6191 6194 403554 4 API calls 6192->6194 6193->6188 6194->6192 6816 402be9 RaiseException 6817 402c04 6816->6817 6527 402af2 6528 402afe 6527->6528 6531 402ed0 6528->6531 6532 403154 4 API calls 6531->6532 6534 402ee0 6532->6534 6533 402b03 6534->6533 6536 402b0c 6534->6536 6537 402b25 6536->6537 6538 402b15 RaiseException 6536->6538 6537->6533 6538->6537 6818 402dfa 6819 402e26 6818->6819 6820 402e0d 6818->6820 6822 402ba4 6820->6822 6823 402bc9 6822->6823 6824 402bad 6822->6824 6823->6819 6825 402bb5 RaiseException 6824->6825 6825->6823 6826 4075fa GetFileSize 6827 407626 6826->6827 6828 407616 GetLastError 6826->6828 6828->6827 6829 40761f 6828->6829 6830 40748c 21 API calls 6829->6830 6830->6827 6831 406ffb 6832 407008 SetErrorMode 6831->6832 6543 403a80 CloseHandle 6544 403a90 6543->6544 6545 403a91 GetLastError 6543->6545 6546 40a282 6547 40a1f4 6546->6547 6548 4094d8 9 API calls 6547->6548 6550 40a220 6547->6550 6548->6550 6549 40a239 6551 40a242 73EA5CF0 6549->6551 6552 40a24d 6549->6552 6550->6549 6553 40a233 RemoveDirectoryA 6550->6553 6551->6552 6554 40a275 6552->6554 6555 40357c 4 API calls 6552->6555 6553->6549 6556 40a26b 6555->6556 6557 4025ac 4 API calls 6556->6557 6557->6554 6558 404283 6559 4042c3 6558->6559 6560 403154 4 API calls 6559->6560 6561 404323 6560->6561 6833 404185 6834 4041ff 6833->6834 6835 4041cc 6834->6835 6836 403154 4 API calls 6834->6836 6837 404323 6836->6837 6562 40a287 6563 40a290 6562->6563 6565 40a2bb 6562->6565 6572 409448 6563->6572 6566 403198 4 API calls 6565->6566 6568 40a2f3 6566->6568 6567 40a295 6567->6565 6569 40a2b3 MessageBoxA 6567->6569 6570 403198 4 API calls 6568->6570 6569->6565 6571 40a2fb 6570->6571 6573 409454 GetCurrentProcess OpenProcessToken 6572->6573 6574 4094af ExitWindowsEx 6572->6574 6575 409466 6573->6575 6576 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6573->6576 6574->6575 6575->6567 6576->6574 6576->6575 6577 403e87 6578 403e4c 6577->6578 6579 403e62 6578->6579 6580 403e7b 6578->6580 6581 403e67 6578->6581 6586 403cc8 6579->6586 6582 402674 4 API calls 6580->6582 6584 403e78 6581->6584 6590 402674 6581->6590 6582->6584 6587 403cd6 6586->6587 6588 402674 4 API calls 6587->6588 6589 403ceb 6587->6589 6588->6589 6589->6581 6591 403154 4 API calls 6590->6591 6592 40267a 6591->6592 6592->6584 6597 407e90 6598 407eb8 VirtualFree 6597->6598 6599 407e9d 6598->6599 6846 403991 6847 403983 6846->6847 6848 40374c VariantClear 6847->6848 6849 40398b 6848->6849 6850 405b92 6852 405b94 6850->6852 6851 405bd0 6853 405930 5 API calls 6851->6853 6852->6851 6854 405be7 6852->6854 6855 405bca 6852->6855 6857 405be3 6853->6857 6859 404ccc 5 API calls 6854->6859 6855->6851 6856 405c3c 6855->6856 6858 4059a0 19 API calls 6856->6858 6860 403198 4 API calls 6857->6860 6858->6857 6861 405c10 6859->6861 6862 405c76 6860->6862 6863 4059a0 19 API calls 6861->6863 6863->6857 6602 403e95 6603 403e4c 6602->6603 6604 403e67 6603->6604 6605 403e62 6603->6605 6606 403e7b 6603->6606 6609 403e78 6604->6609 6610 402674 4 API calls 6604->6610 6608 403cc8 4 API calls 6605->6608 6607 402674 4 API calls 6606->6607 6607->6609 6608->6604 6610->6609 6611 403a97 6612 403aac 6611->6612 6613 403bbc GetStdHandle 6612->6613 6614 403b0e CreateFileA 6612->6614 6624 403ab2 6612->6624 6615 403c17 GetLastError 6613->6615 6619 403bba 6613->6619 6614->6615 6616 403b2c 6614->6616 6615->6624 6618 403b3b GetFileSize 6616->6618 6616->6619 6618->6615 6620 403b4e SetFilePointer 6618->6620 6621 403be7 GetFileType 6619->6621 6619->6624 6620->6615 6625 403b6a ReadFile 6620->6625 6623 403c02 CloseHandle 6621->6623 6621->6624 6623->6624 6625->6615 6626 403b8c 6625->6626 6626->6619 6627 403b9f SetFilePointer 6626->6627 6627->6615 6628 403bb0 SetEndOfFile 6627->6628 6628->6615 6628->6619 6882 4011aa 6883 4011ac GetStdHandle 6882->6883 6221 4076ac SetEndOfFile 6222 4076c3 6221->6222 6223 4076bc 6221->6223 6224 40748c 21 API calls 6223->6224 6224->6222 6632 4028ac 6633 402594 4 API calls 6632->6633 6634 4028b6 6633->6634 6635 401ab9 6636 401a96 6635->6636 6637 401aa9 RtlDeleteCriticalSection 6636->6637 6638 401a9f RtlLeaveCriticalSection 6636->6638 6638->6637

                                                                              Executed Functions

                                                                              Function 00409B30 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 116 409b30-409b54 GetSystemInfo VirtualQuery 117 409be4-409beb 116->117 118 409b5a 116->118 119 409bd9-409bde 118->119 119->117 120 409b5c-409b63 119->120 121 409bc5-409bd7 VirtualQuery 120->121 122 409b65-409b69 120->122 121->117 121->119 122->121 123 409b6b-409b73 122->123 124 409b84-409b95 VirtualProtect 123->124 125 409b75-409b78 123->125 126 409b97 124->126 127 409b99-409b9b 124->127 125->124 128 409b7a-409b7d 125->128 126->127 129 409baa-409bad 127->129 128->124 130 409b7f-409b82 128->130 131 409b9d-409ba6 call 409b28 129->131 132 409baf-409bb1 129->132 130->124 130->127 131->129 132->121 134 409bb3-409bc0 VirtualProtect 132->134 134->121
                                                                              APIs
                                                                              • GetSystemInfo.KERNEL32(?), ref: 00409B42
                                                                              • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B4D
                                                                              • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B8E
                                                                              • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BC0
                                                                              • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BD0
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual$ProtectQuery$InfoSystem
                                                                              • String ID:
                                                                              • API String ID: 2441996862-0
                                                                              • Opcode ID: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                              • Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
                                                                              • Opcode Fuzzy Hash: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                              • Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669
                                                                              Function 004051FC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID:
                                                                              • API String ID: 2299586839-0
                                                                              • Opcode ID: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                              • Instruction ID: f5e54e9283223dc3068d295e9d46a059fb55c29f9ef527c49189185961fa2cd4
                                                                              • Opcode Fuzzy Hash: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                              • Instruction Fuzzy Hash: 42E0927170021426D710A9A99C86AEB735CEB58310F4002BFB908E73C6EDB49E844AEE
                                                                              Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C60), ref: 00404582
                                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                              • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                              • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                              • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00409C60), ref: 004045C6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModulePolicyProcess
                                                                              • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                              • API String ID: 3256987805-3653653586
                                                                              • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                              • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                              • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                              • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E
                                                                              Function 0040A0E7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 111COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • SetLastError.KERNEL32 ref: 0040A0F4
                                                                                • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,021C15C0), ref: 0040966C
                                                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                              • SetWindowLongA.USER32(000203D2,000000FC,00409918), ref: 0040A148
                                                                              • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                              • 73EA5CF0.USER32(000203D2,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastWindow$CreateDirectoryLongRemove
                                                                              • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                              • API String ID: 3341979996-3001827809
                                                                              • Opcode ID: 1a4f1778be80c46942aa9f98cae2169e0a6230f8324263ff29803b7c5577a5a1
                                                                              • Instruction ID: a1ec2b29f79e5ff862fc4fad7e4f310b8339f10a1453332cc6b7faa73b6a426b
                                                                              • Opcode Fuzzy Hash: 1a4f1778be80c46942aa9f98cae2169e0a6230f8324263ff29803b7c5577a5a1
                                                                              • Instruction Fuzzy Hash: C2411F71600205DFD710EBA9EE8AB9977A4EB45304F10467EF514B73E2CBB8A811CB9D
                                                                              Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                              • API String ID: 1646373207-2130885113
                                                                              • Opcode ID: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                                              • Instruction ID: 4a4222b704d734fa8d0781b40c04fe9f9c76e7b4f133337d95099c0c8a01123f
                                                                              • Opcode Fuzzy Hash: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                                              • Instruction Fuzzy Hash: 20017170748342AEFB00BB72DD4AB163A68E785704F50457BF5407A2D3DABD4C04DA6D
                                                                              Function 0040A0D5 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                              • SetWindowLongA.USER32(000203D2,000000FC,00409918), ref: 0040A148
                                                                                • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040A1B9,?), ref: 00406B94
                                                                                • Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021C15C0,00409A90,00000000,00409A77), ref: 00409A14
                                                                                • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021C15C0,00409A90,00000000), ref: 00409A28
                                                                                • Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                                • Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                                • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021C15C0,00409A90), ref: 00409A5C
                                                                              • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                              • 73EA5CF0.USER32(000203D2,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                              • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                              • API String ID: 978128352-3001827809
                                                                              • Opcode ID: abb3e52ba2d34a87c951cbeec188d4c3ff7361d17d45cb79fe2b458f8c7fb345
                                                                              • Instruction ID: f39d198f6ca78f9e57da3cbf677d536b45cc778db879de651171db1d1b5627bc
                                                                              • Opcode Fuzzy Hash: abb3e52ba2d34a87c951cbeec188d4c3ff7361d17d45cb79fe2b458f8c7fb345
                                                                              • Instruction Fuzzy Hash: 07411A71604204DFD714EBA9EE86B5A77A4EB49304F10427EE514B73E1CBB8A810CB9D
                                                                              Function 004099A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021C15C0,00409A90,00000000,00409A77), ref: 00409A14
                                                                              • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021C15C0,00409A90,00000000), ref: 00409A28
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                              • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                              • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021C15C0,00409A90), ref: 00409A5C
                                                                                • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,021C15C0), ref: 0040966C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                              • String ID: D
                                                                              • API String ID: 3356880605-2746444292
                                                                              • Opcode ID: ad223a4d496df5c95c16f58257358154d13b00c0811500baad5b3d8f4e498b4c
                                                                              • Instruction ID: 6ea97129cf5aa135a7f7046e3a99eae43c862e8aca722617c6144c18eae127a8
                                                                              • Opcode Fuzzy Hash: ad223a4d496df5c95c16f58257358154d13b00c0811500baad5b3d8f4e498b4c
                                                                              • Instruction Fuzzy Hash: 3A1142B17442486EDB10EBE68C42FAEB7ACEF49714F50017BB604F72C2DA785D048A69
                                                                              Function 00409E47 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Message
                                                                              • String ID: .tmp$y@
                                                                              • API String ID: 2030045667-2396523267
                                                                              • Opcode ID: 68ca499064e88ad8d4bc1f4a2fd3397b1c963b2c890da41c2fdfea5cc663c78d
                                                                              • Instruction ID: eba11cc0b212557bcf85e4c41764595d0d3f2f842990b0293eb01d0c1562b25b
                                                                              • Opcode Fuzzy Hash: 68ca499064e88ad8d4bc1f4a2fd3397b1c963b2c890da41c2fdfea5cc663c78d
                                                                              • Instruction Fuzzy Hash: 9841BD30600200DFC711EF25DE96A5A77A5EB49304B50463AF804B73E2CBB9AC05CBED
                                                                              Function 00409E62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Message
                                                                              • String ID: .tmp$y@
                                                                              • API String ID: 2030045667-2396523267
                                                                              • Opcode ID: b92571b7798fdf1738320cf5764acc74050170256781880fb7a821db28d3127f
                                                                              • Instruction ID: fef9de22095f7e51d457e3baefdda2d393bbfb66a144e2f6f14d312cbfdc2d61
                                                                              • Opcode Fuzzy Hash: b92571b7798fdf1738320cf5764acc74050170256781880fb7a821db28d3127f
                                                                              • Instruction Fuzzy Hash: 3A418D70610204DFC711EF25DED6A5A77A5EB49308B50463AF804B73E2CBB9AC05CBAD
                                                                              Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID: .tmp
                                                                              • API String ID: 1375471231-2986845003
                                                                              • Opcode ID: 8228534b5fce36e17f8a1a4f12b5018fbfc2097e6833105d4f39ac42e8c6f43b
                                                                              • Instruction ID: a1094b0e4056d8a2da25745c6e48f9a4b2523a9a3c4edc503687ab74cbc79d39
                                                                              • Opcode Fuzzy Hash: 8228534b5fce36e17f8a1a4f12b5018fbfc2097e6833105d4f39ac42e8c6f43b
                                                                              • Instruction Fuzzy Hash: 3A213674A002099BDB05FFA1C9429DEB7B9EF48304F50457BE901B73C2DA7C9E059AA5
                                                                              Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 321 407749-40774a 322 4076dc-4076e6 WriteFile 321->322 323 40774c-40776f 321->323 324 4076e8-4076ea call 40748c 322->324 325 4076ef-4076f2 322->325 326 407770-407785 323->326 324->325 328 407700-407704 325->328 329 4076f4-4076fb call 4073ec 325->329 330 407787 326->330 331 4077f9 326->331 329->328 333 40778a-40778f 330->333 334 4077fd-407802 330->334 335 40783b-40783d 331->335 336 4077fb 331->336 339 407803-407819 333->339 341 407791-407792 333->341 334->339 337 407841-407843 335->337 336->334 340 40785b-40785c 337->340 339->340 348 40781b 339->348 345 4078d6-4078eb call 407890 InterlockedExchange 340->345 346 40785e-40788c 340->346 342 407724-407741 341->342 343 407794-4077b4 341->343 347 4077b5 342->347 349 407743 342->349 343->347 366 407912-407917 345->366 367 4078ed-407910 345->367 359 407820-407823 346->359 360 407890-407893 346->360 352 4077b6-4077b7 347->352 353 4077f7-4077f8 347->353 354 40781e-40781f 348->354 355 407746-407747 349->355 356 4077b9 349->356 352->356 353->331 354->359 355->321 361 4077bb-4077cd 355->361 356->361 363 407824 359->363 364 407898 359->364 360->364 361->337 365 4077cf-4077d4 361->365 368 407825 363->368 369 40789a 363->369 364->369 365->335 374 4077d6-4077de 365->374 367->366 367->367 371 407896-407897 368->371 372 407826-40782d 368->372 373 40789f 369->373 371->364 375 4078a1 372->375 376 40782f 372->376 373->375 374->326 383 4077e0 374->383 378 4078a3 375->378 379 4078ac 375->379 380 407832-407833 376->380 381 4078a5-4078aa 376->381 378->381 384 4078ae-4078af 379->384 380->335 380->354 381->384 383->353 384->373 385 4078b1-4078bd 384->385 385->364 386 4078bf-4078c0 385->386
                                                                              APIs
                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                              • Instruction ID: ef7112967ca92329f6454244f41010afd6781152a6d2bd16d4b387d8db15cd6b
                                                                              • Opcode Fuzzy Hash: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                              • Instruction Fuzzy Hash: F951D12294D2910FC7126B7849685A53FE0FE5331532E92FBC5C1AB1A3D27CA847D35B
                                                                              Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 387 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                              • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLibraryLoadMode
                                                                              • String ID:
                                                                              • API String ID: 2987862817-0
                                                                              • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                              • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                              • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                              • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                              Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 397 40766c-407691 SetFilePointer 398 4076a3-4076a8 397->398 399 407693-40769a GetLastError 397->399 399->398 400 40769c-40769e call 40748c 399->400 400->398
                                                                              APIs
                                                                              • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                              • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021B03AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$FilePointer
                                                                              • String ID:
                                                                              • API String ID: 1156039329-0
                                                                              • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                              • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                              • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                              • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776
                                                                              Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 391 40762c-40764a ReadFile 392 407663-40766a 391->392 393 40764c-407650 391->393 394 407652-40765a GetLastError 393->394 395 40765c-40765e call 40748c 393->395 394->392 394->395 395->392
                                                                              APIs
                                                                              • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLastRead
                                                                              • String ID:
                                                                              • API String ID: 1948546556-0
                                                                              • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                              • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                              • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                              • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                              Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 402 4075c4-4075e5 SetFilePointer 403 4075f7-4075f9 402->403 404 4075e7-4075ee GetLastError 402->404 404->403 405 4075f0-4075f2 call 40748c 404->405 405->403
                                                                              APIs
                                                                              • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                              • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021B03AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$FilePointer
                                                                              • String ID:
                                                                              • API String ID: 1156039329-0
                                                                              • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                              • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                              • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                              • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                              Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual$AllocFree
                                                                              • String ID:
                                                                              • API String ID: 2087232378-0
                                                                              • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                              • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                              • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                              • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                              Function 00405270 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,004053A6), ref: 0040528F
                                                                                • Part of subcall function 00404CCC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CE9
                                                                                • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: DefaultInfoLoadLocaleStringSystem
                                                                              • String ID:
                                                                              • API String ID: 1658689577-0
                                                                              • Opcode ID: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                              • Instruction ID: 2407abf821673f044c2d0b48b7a4a38d2d1f2757cafa01d062fe92b1f2c090cc
                                                                              • Opcode Fuzzy Hash: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                              • Instruction Fuzzy Hash: 73314D75E0010AABCB00DF95C8C19EEB379FF84304F158977E815BB285E739AE059B98
                                                                              Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                              • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                              • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                              • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                              Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                              • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                              • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                              • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                              Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                              • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                              • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                              • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                              Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021B03AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLastWrite
                                                                              • String ID:
                                                                              • API String ID: 442123175-0
                                                                              • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                              • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                              • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                              • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                              Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: FormatMessage
                                                                              • String ID:
                                                                              • API String ID: 1306739567-0
                                                                              • Opcode ID: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                              • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                              • Opcode Fuzzy Hash: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                              • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                              Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetEndOfFile.KERNEL32(?,021D4000,0040A08C,00000000), ref: 004076B3
                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021B03AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLast
                                                                              • String ID:
                                                                              • API String ID: 734332943-0
                                                                              • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                              • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                              • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                              • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                              Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                              • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                              • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                              • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                              Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                              • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                              • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                              • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                              Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CharPrev
                                                                              • String ID:
                                                                              • API String ID: 122130370-0
                                                                              • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                              • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                              • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                              • Instruction Fuzzy Hash:
                                                                              Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                              • Instruction ID: 20a67eb23ea55951ef5110b519d4bcc97d420124264edb02c1094051c82f9398
                                                                              • Opcode Fuzzy Hash: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                              • Instruction Fuzzy Hash: D2117571A042059BDB00EF19C881B5B7794AF44359F05807EF958AB3C6DB38EC00CBAA
                                                                              Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 1263568516-0
                                                                              • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                              • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                              • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                              • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                              Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle
                                                                              • String ID:
                                                                              • API String ID: 2962429428-0
                                                                              • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                              • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                              • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                              • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                              Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 1263568516-0
                                                                              • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                              • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                              • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                              • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654

                                                                              Non-executed Functions

                                                                              Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040949D
                                                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004094A2
                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                              • String ID: SeShutdownPrivilege
                                                                              • API String ID: 107509674-3733053543
                                                                              • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                              • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                              • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                              • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                              Function 00409BEC Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
                                                                              • SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
                                                                              • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
                                                                              • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                              • String ID:
                                                                              • API String ID: 3473537107-0
                                                                              • Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                              • Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
                                                                              • Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                              • Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E
                                                                              Function 00405248 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID:
                                                                              • API String ID: 2299586839-0
                                                                              • Opcode ID: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                              • Instruction ID: 297a7c39c0825e6b478cba46507f56ab37b47465b1590baa0f4eee863dd3b982
                                                                              • Opcode Fuzzy Hash: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                              • Instruction Fuzzy Hash: AED05EA630E6502AE21051AB2D85EBB4A9CCEC5BA4F18407FF648D7242D6248C069B76
                                                                              Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: SystemTime
                                                                              • String ID:
                                                                              • API String ID: 2656138-0
                                                                              • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                              • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                              • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                              • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                              Function 00405CE4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetVersionExA.KERNEL32(?,004065E0,00000000,004065EE,?,?,?,?,?,00409C65), ref: 00405CF2
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Version
                                                                              • String ID:
                                                                              • API String ID: 1889659487-0
                                                                              • Opcode ID: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                              • Instruction ID: 3c95a3e10eaf3ff9c271e05f7503c1a51fdcfb4de7972086e3eff1de8b037954
                                                                              • Opcode Fuzzy Hash: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                              • Instruction Fuzzy Hash: FDC012A040070186D7109B31EC02B1672D4AB44310F440539AEA4953C2E73C80018A5A
                                                                              Function 0040840C Relevance: .5, Instructions: 545COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                              • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                              • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                              • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                              Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 0040704D
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 004070A1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressCloseHandleModuleProc
                                                                              • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                              • API String ID: 4190037839-2401316094
                                                                              • Opcode ID: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                              • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                              • Opcode Fuzzy Hash: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                              • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                              Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                              • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                              • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                              • String ID:
                                                                              • API String ID: 1694776339-0
                                                                              • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                              • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                              • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                              • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                              Function 004053B4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,004055FC,?,?,?,?,00000000,00000000,00000000,?,004065DB,00000000,004065EE), ref: 004053CE
                                                                                • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                • Part of subcall function 00405248: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale$DefaultSystem
                                                                              • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                              • API String ID: 1044490935-665933166
                                                                              • Opcode ID: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                              • Instruction ID: af1252b4c964b6680b9f9af4a0d1ea0fc67f86ffa9d2e4d8722b1cefb330e960
                                                                              • Opcode Fuzzy Hash: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                              • Instruction Fuzzy Hash: 25515334B04548ABDB00EBA59C91A9F776AEB89304F50947BB504BB3C6CA3DCE059B5C
                                                                              Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                              • LocalFree.KERNEL32(00580630,00000000,00401AB4), ref: 00401A1B
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,00580630,00000000,00401AB4), ref: 00401A3A
                                                                              • LocalFree.KERNEL32(00581630,?,00000000,00008000,00580630,00000000,00401AB4), ref: 00401A79
                                                                              • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                              • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                              • String ID:
                                                                              • API String ID: 3782394904-0
                                                                              • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                              • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                              • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                              • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                              Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                              • ExitProcess.KERNEL32 ref: 00403DE5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ExitMessageProcess
                                                                              • String ID: Error$Runtime error at 00000000$9@
                                                                              • API String ID: 1220098344-1503883590
                                                                              • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                              • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                              • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                              • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                              Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                              • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$AllocString
                                                                              • String ID:
                                                                              • API String ID: 262959230-0
                                                                              • Opcode ID: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                              • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                              • Opcode Fuzzy Hash: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                              • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                              Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
                                                                              • GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CommandHandleLineModule
                                                                              • String ID: U1hd.@$h'V
                                                                              • API String ID: 2123368496-3468497718
                                                                              • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                              • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                              • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                              • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                              Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                              • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                              • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                              • String ID:
                                                                              • API String ID: 730355536-0
                                                                              • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                              • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                              • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                              • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                              Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,004098D0,00000000), ref: 00406E4C
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue
                                                                              • String ID: )q@
                                                                              • API String ID: 3660427363-2284170586
                                                                              • Opcode ID: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                              • Instruction ID: 7350e5e82036d2c0193b98364cdb321f9e6d5b5bf7e48a12e03045d443e4f3bd
                                                                              • Opcode Fuzzy Hash: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                              • Instruction Fuzzy Hash: DC414C31D0021AAFDB21DF95C881BAFB7B8EB05704F56457AE901B7280D738AF108B99
                                                                              Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
                                                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409507
                                                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
                                                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3713482204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3712516099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713541757.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3713975847.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastSleep
                                                                              • String ID:
                                                                              • API String ID: 1458359878-0
                                                                              • Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                              • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                              • Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                              • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                              Execution Graph

                                                                              Execution Coverage:16%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:4.3%
                                                                              Total number of Nodes:2000
                                                                              Total number of Limit Nodes:69
                                                                              execution_graph 49694 40cf00 49695 40cf12 49694->49695 49696 40cf0d 49694->49696 49698 406f50 CloseHandle 49696->49698 49698->49695 55841 4413a4 55842 4413ad 55841->55842 55843 4413bb WriteFile 55841->55843 55842->55843 55844 4413c6 55843->55844 49699 492208 49700 49223c 49699->49700 49701 49223e 49700->49701 49702 492252 49700->49702 49845 446fac 18 API calls 49701->49845 49705 492261 49702->49705 49707 49228e 49702->49707 49704 492247 Sleep 49719 492289 49704->49719 49835 447008 49705->49835 49711 4922ca 49707->49711 49712 49229d 49707->49712 49709 492270 49713 492278 FindWindowA 49709->49713 49717 4922d9 49711->49717 49718 492320 49711->49718 49714 447008 18 API calls 49712->49714 49839 447288 49713->49839 49716 4922aa 49714->49716 49721 4922b2 FindWindowA 49716->49721 49846 446fac 18 API calls 49717->49846 49724 49237c 49718->49724 49725 49232f 49718->49725 49885 403420 49719->49885 49723 447288 5 API calls 49721->49723 49722 4922e5 49847 446fac 18 API calls 49722->49847 49727 4922c5 49723->49727 49734 4923d8 49724->49734 49735 49238b 49724->49735 49850 446fac 18 API calls 49725->49850 49727->49719 49729 4922f2 49848 446fac 18 API calls 49729->49848 49730 49233b 49851 446fac 18 API calls 49730->49851 49733 4922ff 49849 446fac 18 API calls 49733->49849 49745 492412 49734->49745 49746 4923e7 49734->49746 49855 446fac 18 API calls 49735->49855 49737 492348 49852 446fac 18 API calls 49737->49852 49739 492397 49856 446fac 18 API calls 49739->49856 49741 49230a SendMessageA 49744 447288 5 API calls 49741->49744 49743 492355 49853 446fac 18 API calls 49743->49853 49744->49727 49754 492421 49745->49754 49755 492460 49745->49755 49749 447008 18 API calls 49746->49749 49747 4923a4 49857 446fac 18 API calls 49747->49857 49752 4923f4 49749->49752 49751 492360 PostMessageA 49854 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49751->49854 49757 4923fc RegisterClipboardFormatA 49752->49757 49753 4923b1 49858 446fac 18 API calls 49753->49858 49860 446fac 18 API calls 49754->49860 49763 49246f 49755->49763 49764 4924b4 49755->49764 49760 447288 5 API calls 49757->49760 49760->49719 49761 4923bc SendNotifyMessageA 49859 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49761->49859 49762 49242d 49861 446fac 18 API calls 49762->49861 49863 446fac 18 API calls 49763->49863 49773 492508 49764->49773 49774 4924c3 49764->49774 49768 49243a 49862 446fac 18 API calls 49768->49862 49769 49247b 49864 446fac 18 API calls 49769->49864 49772 492445 SendMessageA 49777 447288 5 API calls 49772->49777 49782 49256a 49773->49782 49783 492517 49773->49783 49867 446fac 18 API calls 49774->49867 49776 492488 49865 446fac 18 API calls 49776->49865 49777->49727 49778 4924cf 49868 446fac 18 API calls 49778->49868 49781 492493 PostMessageA 49866 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49781->49866 49790 492579 49782->49790 49791 4925f1 49782->49791 49786 447008 18 API calls 49783->49786 49784 4924dc 49869 446fac 18 API calls 49784->49869 49788 492524 49786->49788 49871 42e3a4 SetErrorMode 49788->49871 49789 4924e7 SendNotifyMessageA 49870 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49789->49870 49794 447008 18 API calls 49790->49794 49800 492600 49791->49800 49801 492626 49791->49801 49798 492588 49794->49798 49795 492531 49796 492547 GetLastError 49795->49796 49797 492537 49795->49797 49802 447288 5 API calls 49796->49802 49799 447288 5 API calls 49797->49799 49874 446fac 18 API calls 49798->49874 49803 492545 49799->49803 49879 446fac 18 API calls 49800->49879 49810 492658 49801->49810 49811 492635 49801->49811 49802->49803 49807 447288 5 API calls 49803->49807 49806 49260a FreeLibrary 49880 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49806->49880 49807->49719 49808 49259b GetProcAddress 49812 4925e1 49808->49812 49813 4925a7 49808->49813 49818 492667 49810->49818 49824 49269b 49810->49824 49814 447008 18 API calls 49811->49814 49878 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49812->49878 49875 446fac 18 API calls 49813->49875 49816 492641 49814->49816 49822 492649 CreateMutexA 49816->49822 49881 48c638 18 API calls 49818->49881 49819 4925b3 49876 446fac 18 API calls 49819->49876 49822->49719 49823 4925c0 49827 447288 5 API calls 49823->49827 49824->49719 49883 48c638 18 API calls 49824->49883 49826 492673 49828 492684 OemToCharBuffA 49826->49828 49829 4925d1 49827->49829 49882 48c650 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49828->49882 49877 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49829->49877 49832 4926b6 49833 4926c7 CharToOemBuffA 49832->49833 49884 48c650 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49833->49884 49836 447010 49835->49836 49889 436088 49836->49889 49838 44702f 49838->49709 49840 447290 49839->49840 49943 4363f0 VariantClear 49840->49943 49842 4472b3 49843 4472ca 49842->49843 49944 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49842->49944 49843->49719 49845->49704 49846->49722 49847->49729 49848->49733 49849->49741 49850->49730 49851->49737 49852->49743 49853->49751 49854->49727 49855->49739 49856->49747 49857->49753 49858->49761 49859->49719 49860->49762 49861->49768 49862->49772 49863->49769 49864->49776 49865->49781 49866->49727 49867->49778 49868->49784 49869->49789 49870->49719 49945 403738 49871->49945 49874->49808 49875->49819 49876->49823 49877->49727 49878->49727 49879->49806 49880->49719 49881->49826 49882->49719 49883->49832 49884->49719 49887 403426 49885->49887 49886 40344b 49887->49886 49888 402660 4 API calls 49887->49888 49888->49887 49890 436094 49889->49890 49906 4360b6 49889->49906 49890->49906 49909 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49890->49909 49891 436139 49918 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49891->49918 49893 436121 49913 403494 49893->49913 49894 436109 49898 403510 4 API calls 49894->49898 49895 4360fd 49910 403510 49895->49910 49896 43612d 49917 4040e8 18 API calls 49896->49917 49903 436112 49898->49903 49902 43614a 49902->49838 49903->49838 49904 436115 49904->49838 49906->49891 49906->49893 49906->49894 49906->49895 49906->49896 49906->49904 49907 436136 49907->49838 49909->49906 49919 4034e0 49910->49919 49915 403498 49913->49915 49914 4034ba 49914->49838 49915->49914 49916 402660 4 API calls 49915->49916 49916->49914 49917->49907 49918->49902 49924 4034bc 49919->49924 49922 4034f0 49929 403400 49922->49929 49925 4034c0 49924->49925 49926 4034dc 49924->49926 49933 402648 49925->49933 49926->49922 49928 4034c9 49928->49922 49930 403406 49929->49930 49931 40341f 49929->49931 49930->49931 49938 402660 49930->49938 49931->49838 49934 40264c 49933->49934 49935 402656 49933->49935 49934->49935 49937 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49934->49937 49935->49928 49935->49935 49937->49935 49939 402664 49938->49939 49941 40266e 49938->49941 49939->49941 49942 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49939->49942 49941->49931 49942->49941 49943->49842 49944->49843 49946 40373c LoadLibraryA 49945->49946 49946->49795 49947 402584 49948 402598 49947->49948 49949 4025ab 49947->49949 49977 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 49948->49977 49950 4025c2 RtlEnterCriticalSection 49949->49950 49951 4025cc 49949->49951 49950->49951 49963 4023b4 13 API calls 49951->49963 49953 40259d 49953->49949 49955 4025a1 49953->49955 49956 4025d9 49959 402635 49956->49959 49960 40262b RtlLeaveCriticalSection 49956->49960 49957 4025d5 49957->49956 49964 402088 49957->49964 49960->49959 49961 4025e5 49961->49956 49978 402210 9 API calls 49961->49978 49963->49957 49965 40209c 49964->49965 49966 4020af 49964->49966 49985 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 49965->49985 49968 4020c6 RtlEnterCriticalSection 49966->49968 49971 4020d0 49966->49971 49968->49971 49969 4020a1 49969->49966 49970 4020a5 49969->49970 49974 402106 49970->49974 49971->49974 49979 401f94 49971->49979 49974->49961 49975 4021f1 RtlLeaveCriticalSection 49976 4021fb 49975->49976 49976->49961 49977->49953 49978->49956 49980 401fa4 49979->49980 49981 401fd0 49980->49981 49984 401ff4 49980->49984 49986 401f0c 49980->49986 49981->49984 49991 401db4 49981->49991 49984->49975 49984->49976 49985->49969 49995 40178c 49986->49995 49989 401f29 49989->49980 49992 401dd2 49991->49992 49993 401e02 49991->49993 49992->49984 49993->49992 50018 401d1c 49993->50018 49998 4017a8 49995->49998 49997 4017b2 50014 401678 VirtualAlloc 49997->50014 49998->49997 50000 40180f 49998->50000 50002 401803 49998->50002 50006 4014e4 49998->50006 50015 4013e0 LocalAlloc 49998->50015 50000->49989 50005 401e80 9 API calls 50000->50005 50016 4015c0 VirtualFree 50002->50016 50003 4017be 50003->50000 50005->49989 50007 4014f3 VirtualAlloc 50006->50007 50009 401520 50007->50009 50010 401543 50007->50010 50017 401398 LocalAlloc 50009->50017 50010->49998 50012 40152c 50012->50010 50013 401530 VirtualFree 50012->50013 50013->50010 50014->50003 50015->49998 50016->50000 50017->50012 50019 401d2e 50018->50019 50020 401d51 50019->50020 50021 401d63 50019->50021 50031 401940 50020->50031 50023 401940 3 API calls 50021->50023 50024 401d61 50023->50024 50025 401d79 50024->50025 50041 401bf8 9 API calls 50024->50041 50025->49992 50027 401d88 50028 401da2 50027->50028 50042 401c4c 9 API calls 50027->50042 50043 401454 LocalAlloc 50028->50043 50032 401966 50031->50032 50040 4019bf 50031->50040 50044 40170c 50032->50044 50036 401983 50038 40199a 50036->50038 50049 4015c0 VirtualFree 50036->50049 50038->50040 50050 401454 LocalAlloc 50038->50050 50040->50024 50041->50027 50042->50028 50043->50025 50045 401743 50044->50045 50046 401783 50045->50046 50047 40175d VirtualFree 50045->50047 50048 4013e0 LocalAlloc 50046->50048 50047->50045 50048->50036 50049->50038 50050->50040 55845 48042c 55850 450ff0 55845->55850 55847 480440 55860 47f518 55847->55860 55849 480464 55851 450ffd 55850->55851 55853 451051 55851->55853 55866 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55851->55866 55854 450e74 InterlockedExchange 55853->55854 55855 451063 55854->55855 55857 451079 55855->55857 55867 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55855->55867 55858 4510bc 55857->55858 55868 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55857->55868 55858->55847 55869 40b5c8 55860->55869 55862 47f53a 55863 47f585 55862->55863 55864 4069e4 4 API calls 55862->55864 55873 4768b0 55862->55873 55863->55849 55864->55862 55866->55853 55867->55857 55868->55858 55871 40b5d3 55869->55871 55870 40b5f3 55870->55862 55871->55870 55889 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55871->55889 55881 4768e1 55873->55881 55883 47692a 55873->55883 55874 476975 55890 451280 55874->55890 55876 451280 21 API calls 55876->55883 55877 4038a4 4 API calls 55877->55881 55878 47698c 55879 403420 4 API calls 55878->55879 55882 4769a6 55879->55882 55880 4038a4 4 API calls 55880->55883 55881->55877 55881->55883 55884 403744 4 API calls 55881->55884 55885 403450 4 API calls 55881->55885 55888 451280 21 API calls 55881->55888 55882->55862 55883->55874 55883->55876 55883->55880 55886 403744 4 API calls 55883->55886 55887 403450 4 API calls 55883->55887 55884->55881 55885->55881 55886->55883 55887->55883 55888->55881 55889->55870 55891 45129b 55890->55891 55895 451290 55890->55895 55896 451224 21 API calls 55891->55896 55893 4512a6 55893->55895 55897 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55893->55897 55895->55878 55896->55893 55897->55895 55898 41ee64 55899 41ee73 IsWindowVisible 55898->55899 55900 41eea9 55898->55900 55899->55900 55901 41ee7d IsWindowEnabled 55899->55901 55901->55900 55902 41ee87 55901->55902 55903 402648 4 API calls 55902->55903 55904 41ee91 EnableWindow 55903->55904 55904->55900 55905 41fb68 55906 41fb71 55905->55906 55909 41fe0c 55906->55909 55908 41fb7e 55910 41fefe 55909->55910 55911 41fe23 55909->55911 55910->55908 55911->55910 55930 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 55911->55930 55913 41fe59 55914 41fe83 55913->55914 55915 41fe5d 55913->55915 55940 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 55914->55940 55931 41fbac 55915->55931 55918 41fe91 55920 41fe95 55918->55920 55921 41febb 55918->55921 55924 41fbac 10 API calls 55920->55924 55925 41fbac 10 API calls 55921->55925 55922 41fbac 10 API calls 55923 41fe81 55922->55923 55923->55908 55926 41fea7 55924->55926 55927 41fecd 55925->55927 55928 41fbac 10 API calls 55926->55928 55929 41fbac 10 API calls 55927->55929 55928->55923 55929->55923 55930->55913 55932 41fbc7 55931->55932 55933 41fbdd 55932->55933 55934 41f94c 4 API calls 55932->55934 55941 41f94c 55933->55941 55934->55933 55936 41fc25 55937 41fc48 SetScrollInfo 55936->55937 55949 41faac 55937->55949 55940->55918 55942 4181f0 55941->55942 55943 41f969 GetWindowLongA 55942->55943 55944 41f9a6 55943->55944 55945 41f986 55943->55945 55961 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 55944->55961 55960 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 55945->55960 55948 41f992 55948->55936 55950 41faba 55949->55950 55951 41fac2 55949->55951 55950->55922 55952 41fb01 55951->55952 55953 41faf1 55951->55953 55959 41faff 55951->55959 55963 417e58 IsWindowVisible ScrollWindow SetWindowPos 55952->55963 55962 417e58 IsWindowVisible ScrollWindow SetWindowPos 55953->55962 55954 41fb41 GetScrollPos 55954->55950 55957 41fb4c 55954->55957 55958 41fb5b SetScrollPos 55957->55958 55958->55950 55959->55954 55960->55948 55961->55948 55962->55959 55963->55959 55964 4205a8 55965 4205bb 55964->55965 55985 415b40 55965->55985 55967 420702 55968 420719 55967->55968 55992 4146e4 KiUserCallbackDispatcher 55967->55992 55972 420730 55968->55972 55993 414728 KiUserCallbackDispatcher 55968->55993 55969 420661 55990 420858 20 API calls 55969->55990 55970 4205f6 55970->55967 55970->55969 55978 420652 MulDiv 55970->55978 55975 420752 55972->55975 55994 420070 12 API calls 55972->55994 55976 42067a 55976->55967 55991 420070 12 API calls 55976->55991 55989 41a314 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 55978->55989 55981 420697 55982 4206b3 MulDiv 55981->55982 55983 4206d6 55981->55983 55982->55983 55983->55967 55984 4206df MulDiv 55983->55984 55984->55967 55986 415b52 55985->55986 55995 414480 55986->55995 55988 415b6a 55988->55970 55989->55969 55990->55976 55991->55981 55992->55968 55993->55972 55994->55975 55996 41449a 55995->55996 55999 410658 55996->55999 55998 4144b0 55998->55988 56002 40dea4 55999->56002 56001 41065e 56001->55998 56003 40df06 56002->56003 56004 40deb7 56002->56004 56009 40df14 56003->56009 56007 40df14 19 API calls 56004->56007 56008 40dee1 56007->56008 56008->56001 56010 40df24 56009->56010 56012 40df3a 56010->56012 56021 40e29c 56010->56021 56037 40d7e0 56010->56037 56040 40e14c 56012->56040 56015 40d7e0 5 API calls 56016 40df42 56015->56016 56016->56015 56017 40dfae 56016->56017 56043 40dd60 56016->56043 56018 40e14c 5 API calls 56017->56018 56020 40df10 56018->56020 56020->56001 56057 40eb6c 56021->56057 56023 403778 4 API calls 56025 40e2d7 56023->56025 56024 40e38d 56026 40e3b7 56024->56026 56027 40e3a8 56024->56027 56025->56023 56025->56024 56120 40d974 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56025->56120 56121 40e280 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56025->56121 56117 40bc24 56026->56117 56066 40e5c0 56027->56066 56032 40e3b5 56034 403400 4 API calls 56032->56034 56035 40e45c 56034->56035 56035->56010 56038 40ec08 5 API calls 56037->56038 56039 40d7ea 56038->56039 56039->56010 56154 40d6bc 56040->56154 56163 40e154 56043->56163 56046 40eb6c 5 API calls 56047 40dd9e 56046->56047 56048 40eb6c 5 API calls 56047->56048 56049 40dda9 56048->56049 56050 40ddc4 56049->56050 56051 40ddbb 56049->56051 56056 40ddc1 56049->56056 56170 40dbd8 56050->56170 56173 40dcc8 19 API calls 56051->56173 56054 403420 4 API calls 56055 40de8f 56054->56055 56055->56016 56056->56054 56123 40d980 56057->56123 56060 4034e0 4 API calls 56061 40eb8f 56060->56061 56062 403744 4 API calls 56061->56062 56063 40eb96 56062->56063 56064 40d980 5 API calls 56063->56064 56065 40eba4 56064->56065 56065->56025 56067 40e5f6 56066->56067 56068 40e5ec 56066->56068 56070 40e711 56067->56070 56071 40e695 56067->56071 56072 40e6f6 56067->56072 56073 40e776 56067->56073 56074 40e638 56067->56074 56075 40e6d9 56067->56075 56076 40e67a 56067->56076 56077 40e6bb 56067->56077 56110 40e65c 56067->56110 56128 40d640 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56068->56128 56078 40d964 5 API calls 56070->56078 56136 40e024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56071->56136 56141 40ea90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56072->56141 56082 40d964 5 API calls 56073->56082 56129 40d964 56074->56129 56139 40eba8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56075->56139 56135 40da18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56076->56135 56138 40dfe4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56077->56138 56087 40e719 56078->56087 56081 403400 4 API calls 56088 40e7eb 56081->56088 56089 40e77e 56082->56089 56093 40e723 56087->56093 56094 40e71d 56087->56094 56088->56032 56095 40e782 56089->56095 56096 40e79b 56089->56096 56090 40e6e4 56140 409f38 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56090->56140 56092 40e6a0 56137 40d670 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56092->56137 56142 40ec08 56093->56142 56102 40e721 56094->56102 56103 40e73c 56094->56103 56105 40ec08 5 API calls 56095->56105 56148 40e024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56096->56148 56098 40e661 56134 40e0d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56098->56134 56099 40e644 56132 40e024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56099->56132 56146 40e024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56102->56146 56108 40ec08 5 API calls 56103->56108 56105->56110 56112 40e744 56108->56112 56109 40e64f 56133 40e46c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56109->56133 56110->56081 56145 40daa0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56112->56145 56114 40e766 56147 40e4d4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56114->56147 56149 40bbd0 56117->56149 56120->56025 56121->56025 56122 40d974 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56122->56032 56124 40d98b 56123->56124 56125 40d9c5 56124->56125 56127 40d9cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56124->56127 56125->56060 56127->56124 56128->56067 56130 40ec08 5 API calls 56129->56130 56131 40d96e 56130->56131 56131->56098 56131->56099 56132->56109 56133->56110 56134->56110 56135->56110 56136->56092 56137->56110 56138->56110 56139->56090 56140->56110 56141->56110 56143 40d980 5 API calls 56142->56143 56144 40ec15 56143->56144 56144->56110 56145->56110 56146->56114 56147->56110 56148->56110 56150 40bbe2 56149->56150 56152 40bc07 56149->56152 56150->56152 56153 40bc84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56150->56153 56152->56032 56152->56122 56153->56152 56155 40ec08 5 API calls 56154->56155 56156 40d6c9 56155->56156 56157 40d6dc 56156->56157 56161 40ed0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56156->56161 56157->56016 56159 40d6d7 56162 40d658 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56159->56162 56161->56159 56162->56157 56164 40d964 5 API calls 56163->56164 56165 40e16b 56164->56165 56166 40ec08 5 API calls 56165->56166 56169 40dd93 56165->56169 56167 40e178 56166->56167 56167->56169 56174 40e0d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56167->56174 56169->56046 56175 40ad7c 19 API calls 56170->56175 56172 40dc00 56172->56056 56173->56056 56174->56169 56175->56172 50051 491444 50052 49147e 50051->50052 50053 49148a 50052->50053 50054 491480 50052->50054 50056 491499 50053->50056 50057 4914c2 50053->50057 50247 4090a0 MessageBeep 50054->50247 50059 447008 18 API calls 50056->50059 50062 4914fa 50057->50062 50063 4914d1 50057->50063 50058 403420 4 API calls 50060 491ad6 50058->50060 50061 4914a6 50059->50061 50064 403400 4 API calls 50060->50064 50248 406bb8 50061->50248 50072 491509 50062->50072 50073 491532 50062->50073 50066 447008 18 API calls 50063->50066 50067 491ade 50064->50067 50069 4914de 50066->50069 50256 406c08 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50069->50256 50075 447008 18 API calls 50072->50075 50078 49155a 50073->50078 50079 491541 50073->50079 50074 4914e9 50257 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50074->50257 50077 491516 50075->50077 50258 406c3c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50077->50258 50086 491569 50078->50086 50087 49158e 50078->50087 50260 407288 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 50079->50260 50082 491521 50259 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50082->50259 50083 491549 50261 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50083->50261 50088 447008 18 API calls 50086->50088 50090 49159d 50087->50090 50094 4915c6 50087->50094 50089 491576 50088->50089 50262 4072b0 50089->50262 50093 447008 18 API calls 50090->50093 50092 49157e 50265 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50092->50265 50096 4915aa 50093->50096 50097 4915fe 50094->50097 50098 4915d5 50094->50098 50266 42c814 50096->50266 50106 49164a 50097->50106 50107 49160d 50097->50107 50101 447008 18 API calls 50098->50101 50099 491485 50099->50058 50103 4915e2 50101->50103 50276 407200 8 API calls 50103->50276 50112 491659 50106->50112 50113 491682 50106->50113 50109 447008 18 API calls 50107->50109 50108 4915ed 50277 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50108->50277 50111 49161c 50109->50111 50114 447008 18 API calls 50111->50114 50115 447008 18 API calls 50112->50115 50119 4916ba 50113->50119 50120 491691 50113->50120 50116 49162d 50114->50116 50117 491666 50115->50117 50278 491148 8 API calls 50116->50278 50280 42c8b4 50117->50280 50129 4916c9 50119->50129 50130 4916f2 50119->50130 50123 447008 18 API calls 50120->50123 50121 491639 50279 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50121->50279 50126 49169e 50123->50126 50286 42c8dc 50126->50286 50132 447008 18 API calls 50129->50132 50135 49172a 50130->50135 50136 491701 50130->50136 50134 4916d6 50132->50134 50295 42c90c LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 50134->50295 50143 491739 50135->50143 50144 491762 50135->50144 50138 447008 18 API calls 50136->50138 50140 49170e 50138->50140 50139 4916e1 50296 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50139->50296 50297 42c93c 50140->50297 50146 447008 18 API calls 50143->50146 50150 4917ae 50144->50150 50151 491771 50144->50151 50147 491746 50146->50147 50303 42c964 50147->50303 50156 4917bd 50150->50156 50157 491800 50150->50157 50153 447008 18 API calls 50151->50153 50155 491780 50153->50155 50158 447008 18 API calls 50155->50158 50159 447008 18 API calls 50156->50159 50163 49180f 50157->50163 50164 491873 50157->50164 50160 491791 50158->50160 50161 4917d0 50159->50161 50309 42c508 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 50160->50309 50165 447008 18 API calls 50161->50165 50167 447008 18 API calls 50163->50167 50172 4918b2 50164->50172 50173 491882 50164->50173 50168 4917e1 50165->50168 50166 49179d 50310 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50166->50310 50170 49181c 50167->50170 50311 491340 12 API calls 50168->50311 50239 42c618 7 API calls 50170->50239 50184 4918f1 50172->50184 50185 4918c1 50172->50185 50176 447008 18 API calls 50173->50176 50175 4917ef 50312 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50175->50312 50179 49188f 50176->50179 50177 49182a 50180 49182e 50177->50180 50181 491863 50177->50181 50315 4528f4 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 50179->50315 50183 447008 18 API calls 50180->50183 50314 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50181->50314 50188 49183d 50183->50188 50193 491930 50184->50193 50194 491900 50184->50194 50189 447008 18 API calls 50185->50189 50187 49189c 50316 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50187->50316 50240 452c6c 50188->50240 50192 4918ce 50189->50192 50317 45275c 50192->50317 50203 491978 50193->50203 50204 49193f 50193->50204 50199 447008 18 API calls 50194->50199 50195 4918ad 50195->50099 50196 49184d 50313 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50196->50313 50198 4918db 50324 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50198->50324 50202 49190d 50199->50202 50325 452dfc Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 50202->50325 50211 4919c0 50203->50211 50212 491987 50203->50212 50206 447008 18 API calls 50204->50206 50208 49194e 50206->50208 50207 49191a 50326 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50207->50326 50210 447008 18 API calls 50208->50210 50213 49195f 50210->50213 50216 4919d3 50211->50216 50223 491a89 50211->50223 50214 447008 18 API calls 50212->50214 50219 447288 5 API calls 50213->50219 50215 491996 50214->50215 50217 447008 18 API calls 50215->50217 50220 447008 18 API calls 50216->50220 50218 4919a7 50217->50218 50224 447288 5 API calls 50218->50224 50219->50099 50221 491a00 50220->50221 50222 447008 18 API calls 50221->50222 50225 491a17 50222->50225 50223->50099 50330 446fac 18 API calls 50223->50330 50224->50099 50327 407de4 7 API calls 50225->50327 50227 491aa2 50331 42e8d8 FormatMessageA 50227->50331 50232 491a39 50233 447008 18 API calls 50232->50233 50234 491a4d 50233->50234 50328 408510 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50234->50328 50236 491a58 50329 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50236->50329 50238 491a64 50239->50177 50336 452710 50240->50336 50242 452c89 50242->50196 50243 452c85 50243->50242 50244 452cad MoveFileA GetLastError 50243->50244 50342 45274c 50244->50342 50247->50099 50249 406bc7 50248->50249 50250 406be0 50249->50250 50251 406be9 50249->50251 50252 403400 4 API calls 50250->50252 50345 403778 50251->50345 50253 406be7 50252->50253 50255 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50253->50255 50255->50099 50256->50074 50257->50099 50258->50082 50259->50099 50260->50083 50261->50099 50263 403738 50262->50263 50264 4072ba SetCurrentDirectoryA 50263->50264 50264->50092 50265->50099 50267 403738 50266->50267 50268 42c837 GetFullPathNameA 50267->50268 50269 42c843 50268->50269 50270 42c85a 50268->50270 50269->50270 50271 42c84b 50269->50271 50272 403494 4 API calls 50270->50272 50274 4034e0 4 API calls 50271->50274 50273 42c858 50272->50273 50275 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50273->50275 50274->50273 50275->50099 50276->50108 50277->50099 50278->50121 50279->50099 50352 42c7ac 50280->50352 50283 403778 4 API calls 50284 42c8d5 50283->50284 50285 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50284->50285 50285->50099 50367 42c684 50286->50367 50289 42c8f0 50291 403400 4 API calls 50289->50291 50290 42c8f9 50292 403778 4 API calls 50290->50292 50293 42c8f7 50291->50293 50292->50293 50294 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50293->50294 50294->50099 50295->50139 50296->50099 50298 42c7ac IsDBCSLeadByte 50297->50298 50299 42c94c 50298->50299 50300 403778 4 API calls 50299->50300 50301 42c95e 50300->50301 50302 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50301->50302 50302->50099 50304 42c7ac IsDBCSLeadByte 50303->50304 50305 42c974 50304->50305 50306 403778 4 API calls 50305->50306 50307 42c985 50306->50307 50308 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50307->50308 50308->50099 50309->50166 50310->50099 50311->50175 50312->50099 50313->50099 50314->50099 50315->50187 50316->50195 50318 452710 2 API calls 50317->50318 50319 452772 50318->50319 50320 452776 50319->50320 50321 452794 CreateDirectoryA GetLastError 50319->50321 50320->50198 50322 45274c Wow64RevertWow64FsRedirection 50321->50322 50323 4527ba 50322->50323 50323->50198 50324->50099 50325->50207 50326->50099 50327->50232 50328->50236 50329->50238 50330->50227 50332 42e8fe 50331->50332 50333 4034e0 4 API calls 50332->50333 50334 42e91b 50333->50334 50335 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50334->50335 50335->50099 50337 45271e 50336->50337 50338 45271a 50336->50338 50339 452727 Wow64DisableWow64FsRedirection 50337->50339 50340 452740 SetLastError 50337->50340 50338->50243 50341 45273b 50339->50341 50340->50341 50341->50243 50343 452751 Wow64RevertWow64FsRedirection 50342->50343 50344 45275b 50342->50344 50343->50344 50344->50196 50346 4037aa 50345->50346 50347 40377d 50345->50347 50348 403400 4 API calls 50346->50348 50347->50346 50349 403791 50347->50349 50351 4037a0 50348->50351 50350 4034e0 4 API calls 50349->50350 50350->50351 50351->50253 50357 42c68c 50352->50357 50354 42c80b 50354->50283 50355 42c7c1 50355->50354 50364 42c454 IsDBCSLeadByte 50355->50364 50358 42c69d 50357->50358 50359 42c701 50358->50359 50363 42c6bb 50358->50363 50361 42c6fc 50359->50361 50366 42c454 IsDBCSLeadByte 50359->50366 50361->50355 50363->50361 50365 42c454 IsDBCSLeadByte 50363->50365 50364->50355 50365->50363 50366->50361 50368 42c68c IsDBCSLeadByte 50367->50368 50369 42c68b 50368->50369 50369->50289 50369->50290 50370 41364c SetWindowLongA GetWindowLongA 50371 4136a9 SetPropA SetPropA 50370->50371 50372 41368b GetWindowLongA 50370->50372 50376 41f3ac 50371->50376 50372->50371 50373 41369a SetWindowLongA 50372->50373 50373->50371 50381 415280 50376->50381 50388 423c1c 50376->50388 50482 423a94 50376->50482 50377 4136f9 50382 41528d 50381->50382 50383 4152f3 50382->50383 50384 4152e8 50382->50384 50387 4152f1 50382->50387 50489 424b9c 13 API calls 50383->50489 50384->50387 50490 41506c 46 API calls 50384->50490 50387->50377 50404 423c52 50388->50404 50391 423cfc 50393 423d03 50391->50393 50394 423d37 50391->50394 50392 423c9d 50395 423ca3 50392->50395 50396 423d60 50392->50396 50397 423d09 50393->50397 50440 423fc1 50393->50440 50399 423d42 50394->50399 50400 4240aa IsIconic 50394->50400 50398 423ca8 50395->50398 50414 423cd5 50395->50414 50401 423d72 50396->50401 50402 423d7b 50396->50402 50406 423f23 SendMessageA 50397->50406 50407 423d17 50397->50407 50410 423e06 50398->50410 50411 423cae 50398->50411 50412 4240e6 50399->50412 50413 423d4b 50399->50413 50408 423c73 50400->50408 50409 4240be GetFocus 50400->50409 50403 423d88 50401->50403 50415 423d79 50401->50415 50500 4241a4 11 API calls 50402->50500 50501 4241ec IsIconic 50403->50501 50404->50408 50491 423b78 50404->50491 50406->50408 50407->50408 50441 423cd0 50407->50441 50461 423f66 50407->50461 50408->50377 50409->50408 50417 4240cf 50409->50417 50513 423b94 NtdllDefWindowProc_A 50410->50513 50418 423cb7 50411->50418 50419 423e2e PostMessageA 50411->50419 50535 424860 WinHelpA PostMessageA 50412->50535 50422 4240fd 50413->50422 50413->50441 50414->50408 50431 423cee 50414->50431 50432 423e4f 50414->50432 50509 423b94 NtdllDefWindowProc_A 50415->50509 50534 41f004 GetCurrentThreadId 73EA5940 50417->50534 50426 423cc0 50418->50426 50427 423eb5 50418->50427 50519 423b94 NtdllDefWindowProc_A 50419->50519 50429 424106 50422->50429 50430 42411b 50422->50430 50435 423cc9 50426->50435 50436 423dde IsIconic 50426->50436 50437 423ebe 50427->50437 50438 423eef 50427->50438 50428 423e49 50428->50408 50536 4244e4 50429->50536 50542 42453c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 50430->50542 50431->50441 50442 423e1b 50431->50442 50495 423b94 NtdllDefWindowProc_A 50432->50495 50434 4240d6 50434->50408 50445 4240de SetFocus 50434->50445 50435->50441 50446 423da1 50435->50446 50448 423dfa 50436->50448 50449 423dee 50436->50449 50521 423b24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50437->50521 50496 423b94 NtdllDefWindowProc_A 50438->50496 50440->50408 50456 423fe7 IsWindowEnabled 50440->50456 50441->50408 50499 423b94 NtdllDefWindowProc_A 50441->50499 50514 424188 50442->50514 50444 423e55 50453 423e93 50444->50453 50454 423e71 50444->50454 50445->50408 50446->50408 50510 422c5c ShowWindow PostMessageA PostQuitMessage 50446->50510 50512 423b94 NtdllDefWindowProc_A 50448->50512 50511 423bd0 15 API calls 50449->50511 50462 423a94 6 API calls 50453->50462 50520 423b24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50454->50520 50455 423ec6 50464 423ed8 50455->50464 50522 41ef68 50455->50522 50456->50408 50465 423ff5 50456->50465 50459 423ef5 50466 423f0d 50459->50466 50497 41eeb4 GetCurrentThreadId 73EA5940 50459->50497 50461->50408 50468 423f88 IsWindowEnabled 50461->50468 50469 423e9b PostMessageA 50462->50469 50528 423b94 NtdllDefWindowProc_A 50464->50528 50475 423ffc IsWindowVisible 50465->50475 50473 423a94 6 API calls 50466->50473 50467 423e79 PostMessageA 50467->50408 50468->50408 50474 423f96 50468->50474 50469->50408 50473->50408 50529 412320 7 API calls 50474->50529 50475->50408 50477 42400a GetFocus 50475->50477 50530 4181f0 50477->50530 50479 42401f SetFocus 50532 415250 50479->50532 50483 423b1d 50482->50483 50484 423aa4 50482->50484 50483->50377 50484->50483 50485 423aaa EnumWindows 50484->50485 50485->50483 50486 423ac6 GetWindow GetWindowLongA 50485->50486 50646 423a2c GetWindow 50485->50646 50487 423ae5 50486->50487 50487->50483 50488 423b11 SetWindowPos 50487->50488 50488->50483 50488->50487 50489->50387 50490->50387 50492 423b82 50491->50492 50493 423b8d 50491->50493 50492->50493 50543 408728 GetSystemDefaultLCID 50492->50543 50493->50391 50493->50392 50495->50444 50496->50459 50498 41ef39 50497->50498 50498->50466 50499->50408 50500->50408 50502 424233 50501->50502 50503 4241fd SetActiveWindow 50501->50503 50502->50408 50618 42365c 50503->50618 50507 42421a 50507->50502 50508 42422d SetFocus 50507->50508 50508->50502 50509->50408 50510->50408 50511->50408 50512->50408 50513->50408 50631 41db40 50514->50631 50517 4241a0 50517->50408 50518 424194 LoadIconA 50518->50517 50519->50428 50520->50467 50521->50455 50523 41ef70 IsWindow 50522->50523 50524 41ef9c 50522->50524 50525 41ef7f EnableWindow 50523->50525 50527 41ef8a 50523->50527 50524->50464 50525->50527 50526 402660 4 API calls 50526->50527 50527->50523 50527->50524 50527->50526 50528->50408 50529->50408 50531 4181fa 50530->50531 50531->50479 50533 41526b SetFocus 50532->50533 50533->50408 50534->50434 50535->50428 50537 4244f0 50536->50537 50538 42450a 50536->50538 50539 42451f 50537->50539 50540 4244f7 SendMessageA 50537->50540 50541 402648 4 API calls 50538->50541 50539->50408 50540->50539 50541->50539 50542->50428 50598 408570 GetLocaleInfoA 50543->50598 50548 408570 5 API calls 50549 40877d 50548->50549 50550 408570 5 API calls 50549->50550 50551 4087a1 50550->50551 50610 4085bc GetLocaleInfoA 50551->50610 50554 4085bc GetLocaleInfoA 50555 4087d1 50554->50555 50556 408570 5 API calls 50555->50556 50557 4087eb 50556->50557 50558 4085bc GetLocaleInfoA 50557->50558 50559 408808 50558->50559 50560 408570 5 API calls 50559->50560 50561 408822 50560->50561 50562 403450 4 API calls 50561->50562 50563 40882f 50562->50563 50564 408570 5 API calls 50563->50564 50565 408844 50564->50565 50566 403450 4 API calls 50565->50566 50567 408851 50566->50567 50568 4085bc GetLocaleInfoA 50567->50568 50569 40885f 50568->50569 50570 408570 5 API calls 50569->50570 50571 408879 50570->50571 50572 403450 4 API calls 50571->50572 50573 408886 50572->50573 50574 408570 5 API calls 50573->50574 50575 40889b 50574->50575 50576 403450 4 API calls 50575->50576 50577 4088a8 50576->50577 50578 408570 5 API calls 50577->50578 50579 4088bd 50578->50579 50580 4088da 50579->50580 50581 4088cb 50579->50581 50583 403494 4 API calls 50580->50583 50582 403494 4 API calls 50581->50582 50584 4088d8 50582->50584 50583->50584 50599 408597 50598->50599 50600 4085a9 50598->50600 50601 4034e0 4 API calls 50599->50601 50602 403494 4 API calls 50600->50602 50603 4085a7 50601->50603 50602->50603 50604 403450 50603->50604 50605 403454 50604->50605 50608 403464 50604->50608 50607 4034bc 4 API calls 50605->50607 50605->50608 50606 403490 50606->50548 50607->50608 50608->50606 50609 402660 4 API calls 50608->50609 50609->50606 50611 4085d8 50610->50611 50611->50554 50627 423608 SystemParametersInfoA 50618->50627 50621 423675 ShowWindow 50623 423680 50621->50623 50624 423687 50621->50624 50630 423638 SystemParametersInfoA 50623->50630 50626 423b24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50624->50626 50626->50507 50628 423626 50627->50628 50628->50621 50629 423638 SystemParametersInfoA 50628->50629 50629->50621 50630->50624 50634 41db64 50631->50634 50635 41db4a 50634->50635 50636 41db71 50634->50636 50635->50517 50635->50518 50636->50635 50643 40cc80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50636->50643 50638 41db8e 50638->50635 50639 41dba8 50638->50639 50640 41db9b 50638->50640 50644 41bd9c 11 API calls 50639->50644 50645 41b398 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50640->50645 50643->50638 50644->50635 50645->50635 50647 423a4d GetWindowLongA 50646->50647 50648 423a59 50646->50648 50647->50648 50649 4804c6 50650 4804cf 50649->50650 50651 4804fa 50649->50651 50650->50651 50652 4804ec 50650->50652 50654 480539 50651->50654 51063 47efb0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50651->51063 51061 476b6c 188 API calls 50652->51061 50655 48055d 50654->50655 50659 480550 50654->50659 50660 480552 50654->50660 50662 480599 50655->50662 50663 48057b 50655->50663 50657 4804f1 50657->50651 51062 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50657->51062 50658 48052c 51064 47f018 42 API calls 50658->51064 50666 47eff4 42 API calls 50659->50666 51065 47f088 42 API calls 50660->51065 51068 47ee48 24 API calls 50662->51068 50667 480590 50663->50667 51066 47f018 42 API calls 50663->51066 50666->50655 51067 47ee48 24 API calls 50667->51067 50669 480597 50672 4805a9 50669->50672 50673 4805af 50669->50673 50674 4805ad 50672->50674 50775 47eff4 50672->50775 50673->50674 50675 47eff4 42 API calls 50673->50675 50780 47c3a4 50674->50780 50675->50674 51137 47eadc 42 API calls 50775->51137 50777 47f00f 51138 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50777->51138 51139 42d8a8 GetWindowsDirectoryA 50780->51139 50782 47c3c2 50783 403450 4 API calls 50782->50783 50784 47c3cf 50783->50784 51141 42d8d4 GetSystemDirectoryA 50784->51141 50786 47c3d7 50787 403450 4 API calls 50786->50787 50788 47c3e4 50787->50788 51143 42d900 50788->51143 50790 47c3ec 50791 403450 4 API calls 50790->50791 50792 47c3f9 50791->50792 50793 47c402 50792->50793 50794 47c41e 50792->50794 51199 42d218 50793->51199 50795 403400 4 API calls 50794->50795 50797 47c41c 50795->50797 50799 47c463 50797->50799 50801 42c8dc 5 API calls 50797->50801 51147 47c22c 50799->51147 50800 403450 4 API calls 50800->50797 50803 47c43e 50801->50803 50805 403450 4 API calls 50803->50805 50807 47c44b 50805->50807 50806 403450 4 API calls 50808 47c47f 50806->50808 50807->50799 50812 403450 4 API calls 50807->50812 50809 47c49d 50808->50809 50810 4035c0 4 API calls 50808->50810 50811 47c22c 8 API calls 50809->50811 50810->50809 50813 47c4ac 50811->50813 50812->50799 50814 403450 4 API calls 50813->50814 50815 47c4b9 50814->50815 50816 47c4e1 50815->50816 50817 42c40c 5 API calls 50815->50817 50818 47c548 50816->50818 50822 47c22c 8 API calls 50816->50822 50819 47c4cf 50817->50819 50820 47c572 50818->50820 50821 47c551 50818->50821 50824 4035c0 4 API calls 50819->50824 51158 42c40c 50820->51158 50825 42c40c 5 API calls 50821->50825 50826 47c4f9 50822->50826 50824->50816 50828 47c55e 50825->50828 50829 403450 4 API calls 50826->50829 51061->50657 51063->50658 51064->50654 51065->50655 51066->50667 51067->50669 51068->50669 51137->50777 51140 42d8c9 51139->51140 51140->50782 51142 42d8f5 51141->51142 51142->50786 51144 403400 4 API calls 51143->51144 51145 42d910 GetModuleHandleA GetProcAddress 51144->51145 51146 42d929 51145->51146 51146->50790 51209 42de2c 51147->51209 51149 47c252 51150 47c256 51149->51150 51151 47c278 51149->51151 51212 42dd5c 51150->51212 51152 403400 4 API calls 51151->51152 51154 47c27f 51152->51154 51154->50806 51156 47c26d RegCloseKey 51156->51154 51157 403400 4 API calls 51157->51156 51159 42c416 51158->51159 51160 42c439 51158->51160 51200 4038a4 4 API calls 51199->51200 51202 42d22b 51200->51202 51201 42d242 GetEnvironmentVariableA 51201->51202 51203 42d24e 51201->51203 51202->51201 51206 42d255 51202->51206 51247 42dbe0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51202->51247 51204 403400 4 API calls 51203->51204 51204->51206 51206->50800 51210 42de37 51209->51210 51211 42de3d RegOpenKeyExA 51209->51211 51210->51211 51211->51149 51215 42dc10 51212->51215 51216 42dc36 RegQueryValueExA 51215->51216 51221 42dc59 51216->51221 51229 42dc7b 51216->51229 51217 403400 4 API calls 51219 42dd47 51217->51219 51218 42dc73 51220 403400 4 API calls 51218->51220 51219->51156 51219->51157 51220->51229 51221->51218 51222 4034e0 4 API calls 51221->51222 51221->51229 51232 403744 51221->51232 51222->51221 51224 42dcb0 RegQueryValueExA 51224->51216 51225 42dccc 51224->51225 51225->51229 51236 4038a4 51225->51236 51229->51217 51230 403744 4 API calls 51231 42dd20 51230->51231 51233 40374a 51232->51233 51235 40375b 51232->51235 51234 4034bc 4 API calls 51233->51234 51233->51235 51234->51235 51235->51224 51237 4038b1 51236->51237 51243 4038e1 51236->51243 51239 4038da 51237->51239 51241 4038bd 51237->51241 51238 403400 4 API calls 51244 4038cb 51238->51244 51240 4034bc 4 API calls 51239->51240 51240->51243 51245 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51241->51245 51243->51238 51244->51230 51244->51231 51245->51244 51247->51202 53303 46be48 53304 46c254 53303->53304 53305 46be7c 53303->53305 53306 403400 4 API calls 53304->53306 53307 46beb8 53305->53307 53310 46bf14 53305->53310 53311 46bef2 53305->53311 53312 46bf03 53305->53312 53313 46bed0 53305->53313 53314 46bee1 53305->53314 53308 46c293 53306->53308 53307->53304 53389 468fe0 53307->53389 53316 403400 4 API calls 53308->53316 53621 46bdd8 45 API calls 53310->53621 53354 46ba08 53311->53354 53620 46bbc8 67 API calls 53312->53620 53618 46b758 47 API calls 53313->53618 53619 46b8c0 42 API calls 53314->53619 53321 46c29b 53316->53321 53322 46bed6 53322->53304 53322->53307 53323 46bf50 53323->53304 53324 494770 18 API calls 53323->53324 53340 46bf93 53323->53340 53324->53340 53326 414af8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53326->53340 53327 46c0b6 53622 48300c 123 API calls 53327->53622 53330 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53330->53340 53331 42cbd0 6 API calls 53331->53340 53332 46c0d1 53332->53304 53334 46b2a0 23 API calls 53334->53340 53337 46c136 53341 457d58 24 API calls 53337->53341 53338 46c17c 53342 46b2a0 23 API calls 53338->53342 53339 46c18e 53468 46b2a0 53339->53468 53340->53304 53340->53326 53340->53327 53340->53330 53340->53331 53340->53334 53340->53337 53340->53338 53340->53339 53392 468f1c 53340->53392 53400 46b00c 53340->53400 53407 46a26c 53340->53407 53545 482b0c 53340->53545 53631 46b514 19 API calls 53340->53631 53344 46c155 53341->53344 53342->53304 53345 457d58 24 API calls 53344->53345 53345->53338 53346 46c19b 53347 46c1c4 SetActiveWindow 53346->53347 53348 46c1dc 53346->53348 53347->53348 53503 46a60c 53348->53503 53350 46c1ff 53350->53338 53351 46c21a 53350->53351 53623 46b11c 53351->53623 53632 46c6cc 53354->53632 53357 46bb8a 53358 403420 4 API calls 53357->53358 53360 46bba4 53358->53360 53362 403400 4 API calls 53360->53362 53361 46ba56 53363 46bb76 53361->53363 53639 455f70 13 API calls 53361->53639 53365 46bbac 53362->53365 53363->53357 53364 403450 4 API calls 53363->53364 53364->53357 53367 403400 4 API calls 53365->53367 53368 46bbb4 53367->53368 53368->53307 53369 42cd58 7 API calls 53373 46bb12 53369->53373 53370 46bb39 53370->53357 53370->53363 53375 42cd58 7 API calls 53370->53375 53371 46bad9 53371->53357 53371->53369 53371->53370 53372 46ba74 53372->53371 53640 46696c 53372->53640 53373->53370 53377 451444 4 API calls 53373->53377 53378 46bb4f 53375->53378 53380 46bb29 53377->53380 53378->53363 53383 451444 4 API calls 53378->53383 53379 46696c 19 API calls 53381 46bab4 53379->53381 53645 47eadc 42 API calls 53380->53645 53385 451414 4 API calls 53381->53385 53384 46bb66 53383->53384 53646 47eadc 42 API calls 53384->53646 53387 46bac9 53385->53387 53644 47eadc 42 API calls 53387->53644 53390 468f1c 19 API calls 53389->53390 53391 468fef 53390->53391 53391->53323 53393 468f4b 53392->53393 53394 4078fc 19 API calls 53393->53394 53397 468f8c 53393->53397 53395 468f84 53394->53395 53766 453330 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53395->53766 53398 403400 4 API calls 53397->53398 53399 468fa4 53398->53399 53399->53340 53401 46b01d 53400->53401 53402 46b018 53400->53402 53852 469dec 46 API calls 53401->53852 53403 46b01b 53402->53403 53767 46aa78 53402->53767 53403->53340 53405 46b025 53405->53340 53408 403400 4 API calls 53407->53408 53409 46a299 53408->53409 53875 47d9bc 53409->53875 53411 46a2f8 53412 46a315 53411->53412 53413 46a2fc 53411->53413 53414 46a306 53412->53414 53885 494660 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53412->53885 53882 466b6c 53413->53882 53418 46a434 53414->53418 53419 46a49f 53414->53419 53467 46a5a9 53414->53467 53417 46a331 53417->53414 53421 46a339 53417->53421 53422 403494 4 API calls 53418->53422 53423 403494 4 API calls 53419->53423 53420 403420 4 API calls 53424 46a5d3 53420->53424 53425 46b2a0 23 API calls 53421->53425 53426 46a441 53422->53426 53427 46a4ac 53423->53427 53424->53340 53435 46a346 53425->53435 53428 40357c 4 API calls 53426->53428 53429 40357c 4 API calls 53427->53429 53430 46a44e 53428->53430 53431 46a4b9 53429->53431 53432 40357c 4 API calls 53430->53432 53433 40357c 4 API calls 53431->53433 53436 46a45b 53432->53436 53434 46a4c6 53433->53434 53438 40357c 4 API calls 53434->53438 53441 46a387 53435->53441 53442 46a36f SetActiveWindow 53435->53442 53437 40357c 4 API calls 53436->53437 53439 46a468 53437->53439 53440 46a4d3 53438->53440 53443 466b6c 20 API calls 53439->53443 53444 40357c 4 API calls 53440->53444 53886 42f570 53441->53886 53442->53441 53445 46a476 53443->53445 53446 46a4e1 53444->53446 53447 40357c 4 API calls 53445->53447 53448 414b28 4 API calls 53446->53448 53451 46a47f 53447->53451 53458 46a49d 53448->53458 53453 40357c 4 API calls 53451->53453 53456 46a48c 53453->53456 53455 46a3d8 53459 46b11c 21 API calls 53455->53459 53457 414b28 4 API calls 53456->53457 53457->53458 53903 466ea4 53458->53903 53460 46a40a 53459->53460 53460->53340 53461 46a503 53462 414b28 4 API calls 53461->53462 53461->53467 53467->53420 53469 468fe0 19 API calls 53468->53469 53470 46b2b8 53469->53470 53471 46b2da 53470->53471 53472 465638 7 API calls 53470->53472 54022 465638 53471->54022 53472->53471 53476 46b2f2 53477 46b11c 21 API calls 53476->53477 53478 46b32a 53477->53478 53479 414b28 4 API calls 53478->53479 53480 46b33e 53479->53480 53481 46b374 53480->53481 53482 46b34a 53480->53482 53485 46b393 53481->53485 53486 46b3bd 53481->53486 53483 414b28 4 API calls 53482->53483 53484 46b35e 53483->53484 53488 414b28 4 API calls 53484->53488 53489 414b28 4 API calls 53485->53489 53487 414b28 4 API calls 53486->53487 53490 46b3d1 53487->53490 53491 46b372 53488->53491 53492 46b3a7 53489->53492 53493 414b28 4 API calls 53490->53493 54039 46b034 53491->54039 53494 414b28 4 API calls 53492->53494 53493->53491 53494->53491 53498 468fe0 19 API calls 53501 46b46f 53498->53501 53499 46b40f 53499->53498 53500 46b4d2 53500->53346 53501->53500 54044 4946bc 18 API calls 53501->54044 53505 46a637 53503->53505 53504 46a66e 53507 46a7e3 53504->53507 53520 46a682 53504->53520 53505->53504 54064 47dc30 53505->54064 53510 46a817 53507->53510 53516 46a801 53507->53516 53544 46a95a 53507->53544 53508 403400 4 API calls 53512 46a97f 53508->53512 53509 46a7c0 53513 46a7db 53509->53513 53518 402660 4 API calls 53509->53518 53511 414b28 4 API calls 53510->53511 53517 46a815 53511->53517 53512->53350 53513->53350 53514 402660 4 API calls 53514->53520 53515 402648 4 API calls 53515->53520 53521 414b28 4 API calls 53516->53521 54076 495520 MulDiv 53517->54076 53518->53513 53519 46a78c 53523 457d58 24 API calls 53519->53523 53520->53514 53520->53515 53529 46a6f5 53520->53529 53521->53517 53523->53509 53524 46a838 53527 466ea4 11 API calls 53524->53527 53526 457d58 24 API calls 53526->53529 53528 46a86c 53527->53528 53529->53509 53529->53519 53529->53526 53531 40357c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53529->53531 54075 403ba4 7 API calls 53529->54075 53531->53529 53544->53508 53546 46c6cc 48 API calls 53545->53546 53547 482b4f 53546->53547 53548 482b58 53547->53548 54292 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53547->54292 53550 414af8 4 API calls 53548->53550 53551 482b68 53550->53551 53552 403450 4 API calls 53551->53552 53553 482b75 53552->53553 54102 46ca24 53553->54102 53556 482b85 53557 414af8 4 API calls 53556->53557 53559 482b95 53557->53559 53560 403450 4 API calls 53559->53560 53561 482ba2 53560->53561 53562 469bd4 SendMessageA 53561->53562 53563 482bbb 53562->53563 53564 482c0c 53563->53564 54294 479c64 23 API calls 53563->54294 53566 4241ec 11 API calls 53564->53566 53567 482c16 53566->53567 53568 482c3c 53567->53568 53569 482c27 SetActiveWindow 53567->53569 54131 481f3c 53568->54131 53569->53568 53618->53322 53619->53307 53620->53307 53621->53307 53622->53332 53624 468f1c 19 API calls 53623->53624 53631->53340 53647 46c764 53632->53647 53635 414af8 53636 414b06 53635->53636 53637 4034e0 4 API calls 53636->53637 53638 414b13 53637->53638 53638->53361 53639->53372 53642 466986 53640->53642 53641 4078fc 19 API calls 53643 4669c1 53641->53643 53642->53641 53643->53379 53644->53371 53645->53370 53646->53363 53648 414af8 4 API calls 53647->53648 53649 46c798 53648->53649 53708 466c04 53649->53708 53653 46c7aa 53654 46c7b9 53653->53654 53656 46c7d2 53653->53656 53742 47eadc 42 API calls 53654->53742 53659 46c819 53656->53659 53661 46c800 53656->53661 53657 403420 4 API calls 53658 46ba3a 53657->53658 53658->53357 53658->53635 53660 46c87e 53659->53660 53674 46c81d 53659->53674 53745 42cb5c CharNextA 53660->53745 53743 47eadc 42 API calls 53661->53743 53664 46c88d 53665 46c891 53664->53665 53668 46c8aa 53664->53668 53746 47eadc 42 API calls 53665->53746 53667 46c865 53744 47eadc 42 API calls 53667->53744 53669 46c8ce 53668->53669 53722 466d74 53668->53722 53747 47eadc 42 API calls 53669->53747 53674->53667 53674->53668 53677 46c8e7 53678 403778 4 API calls 53677->53678 53679 46c8fd 53678->53679 53730 42c9ac 53679->53730 53682 46c90e 53748 466e00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53682->53748 53683 46c93f 53684 42c8dc 5 API calls 53683->53684 53686 46c94a 53684->53686 53688 42c40c 5 API calls 53686->53688 53687 46c921 53689 451444 4 API calls 53687->53689 53690 46c955 53688->53690 53691 46c92e 53689->53691 53692 42cbd0 6 API calls 53690->53692 53749 47eadc 42 API calls 53691->53749 53694 46c960 53692->53694 53734 46c6f8 53694->53734 53696 46c968 53697 42cd58 7 API calls 53696->53697 53698 46c970 53697->53698 53699 46c974 53698->53699 53700 46c98a 53698->53700 53750 47eadc 42 API calls 53699->53750 53702 46c7cd 53700->53702 53703 46c994 53700->53703 53702->53657 53704 46c99c GetDriveTypeA 53703->53704 53704->53702 53713 466c1e 53708->53713 53710 42cbd0 6 API calls 53710->53713 53711 403450 4 API calls 53711->53713 53712 406bb8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53712->53713 53713->53710 53713->53711 53713->53712 53714 466c67 53713->53714 53752 42cabc 53713->53752 53715 403420 4 API calls 53714->53715 53716 466c81 53715->53716 53717 414b28 53716->53717 53718 414af8 4 API calls 53717->53718 53719 414b4c 53718->53719 53720 403400 4 API calls 53719->53720 53721 414b7d 53720->53721 53721->53653 53723 466d7e 53722->53723 53724 466d91 53723->53724 53763 42cb4c CharNextA 53723->53763 53724->53669 53726 466da4 53724->53726 53727 466dae 53726->53727 53728 466ddb 53727->53728 53764 42cb4c CharNextA 53727->53764 53728->53669 53728->53677 53731 42ca05 53730->53731 53732 42c9c2 53730->53732 53731->53682 53731->53683 53732->53731 53765 42cb4c CharNextA 53732->53765 53735 46c75d 53734->53735 53736 46c70b 53734->53736 53735->53696 53736->53735 53737 41eeb4 2 API calls 53736->53737 53738 46c71b 53737->53738 53739 46c735 SHPathPrepareForWriteA 53738->53739 53740 41ef68 6 API calls 53739->53740 53741 46c755 53740->53741 53741->53696 53742->53702 53743->53702 53744->53702 53745->53664 53746->53702 53747->53702 53748->53687 53749->53702 53750->53702 53753 403494 4 API calls 53752->53753 53754 42cacc 53753->53754 53755 403744 4 API calls 53754->53755 53758 42cb02 53754->53758 53761 42c454 IsDBCSLeadByte 53754->53761 53755->53754 53757 42cb46 53757->53713 53758->53757 53760 4037b8 4 API calls 53758->53760 53762 42c454 IsDBCSLeadByte 53758->53762 53760->53758 53761->53754 53762->53758 53763->53723 53764->53727 53765->53732 53766->53397 53769 46aabf 53767->53769 53768 46af37 53770 46af52 53768->53770 53771 46af83 53768->53771 53769->53768 53772 46ab7a 53769->53772 53776 403494 4 API calls 53769->53776 53775 403494 4 API calls 53770->53775 53773 403494 4 API calls 53771->53773 53774 46ab9b 53772->53774 53778 46abdc 53772->53778 53777 46af91 53773->53777 53779 403494 4 API calls 53774->53779 53780 46af60 53775->53780 53781 46aafe 53776->53781 53871 4694c8 12 API calls 53777->53871 53784 403400 4 API calls 53778->53784 53786 46aba9 53779->53786 53870 4694c8 12 API calls 53780->53870 53783 414af8 4 API calls 53781->53783 53788 46ab1f 53783->53788 53789 46abda 53784->53789 53787 414af8 4 API calls 53786->53787 53791 46abca 53787->53791 53792 403634 4 API calls 53788->53792 53811 46acc0 53789->53811 53853 469bd4 53789->53853 53790 46af6e 53793 403400 4 API calls 53790->53793 53794 403634 4 API calls 53791->53794 53795 46ab2f 53792->53795 53797 46afb4 53793->53797 53794->53789 53799 414af8 4 API calls 53795->53799 53802 403400 4 API calls 53797->53802 53798 46ad48 53800 403400 4 API calls 53798->53800 53803 46ab43 53799->53803 53804 46ad46 53800->53804 53801 46abfc 53805 46ac02 53801->53805 53806 46ac3a 53801->53806 53807 46afbc 53802->53807 53803->53772 53813 414af8 4 API calls 53803->53813 53865 46a010 43 API calls 53804->53865 53809 403494 4 API calls 53805->53809 53808 403400 4 API calls 53806->53808 53810 403420 4 API calls 53807->53810 53812 46ac38 53808->53812 53814 46ac10 53809->53814 53815 46afc9 53810->53815 53811->53798 53816 46ad07 53811->53816 53859 469ec8 53812->53859 53818 46ab6a 53813->53818 53820 47bfd8 43 API calls 53814->53820 53815->53403 53817 403494 4 API calls 53816->53817 53821 46ad15 53817->53821 53822 403634 4 API calls 53818->53822 53824 46ac28 53820->53824 53825 414af8 4 API calls 53821->53825 53822->53772 53823 46ad71 53830 46add2 53823->53830 53831 46ad7c 53823->53831 53827 403634 4 API calls 53824->53827 53828 46ad36 53825->53828 53827->53812 53832 403634 4 API calls 53828->53832 53829 46ac61 53835 46acc2 53829->53835 53836 46ac6c 53829->53836 53834 403400 4 API calls 53830->53834 53833 403494 4 API calls 53831->53833 53832->53804 53842 46ad8a 53833->53842 53837 46adda 53834->53837 53838 403400 4 API calls 53835->53838 53839 403494 4 API calls 53836->53839 53840 46add0 53837->53840 53851 46ae83 53837->53851 53838->53811 53844 46ac7a 53839->53844 53840->53837 53866 494660 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53840->53866 53842->53837 53842->53840 53846 403634 4 API calls 53842->53846 53843 46adfd 53843->53851 53867 49490c 18 API calls 53843->53867 53844->53811 53847 403634 4 API calls 53844->53847 53846->53842 53847->53844 53849 46af24 53869 429154 SendMessageA SendMessageA 53849->53869 53868 429104 SendMessageA 53851->53868 53852->53405 53872 42a050 SendMessageA 53853->53872 53855 469be3 53856 469c03 53855->53856 53873 42a050 SendMessageA 53855->53873 53856->53801 53858 469bf3 53858->53801 53863 469ef5 53859->53863 53860 469f57 53861 403400 4 API calls 53860->53861 53862 469f6c 53861->53862 53862->53829 53863->53860 53874 469e4c 43 API calls 53863->53874 53865->53823 53866->53843 53867->53851 53868->53849 53869->53768 53870->53790 53871->53790 53872->53855 53873->53858 53874->53863 53876 47d9cf 53875->53876 53879 47da0c 53875->53879 53907 455cf8 53876->53907 53879->53411 53881 47da1f 53881->53411 53962 466a80 53882->53962 53885->53417 53887 42f57c 53886->53887 53888 42f59f GetActiveWindow GetFocus 53887->53888 53889 41eeb4 2 API calls 53888->53889 53890 42f5b6 53889->53890 53891 42f5d3 53890->53891 53892 42f5c3 RegisterClassA 53890->53892 53893 42f662 SetFocus 53891->53893 53894 42f5e1 CreateWindowExA 53891->53894 53892->53891 53895 403400 4 API calls 53893->53895 53894->53893 53896 42f614 53894->53896 53897 42f67e 53895->53897 53983 42428c 53896->53983 53902 49490c 18 API calls 53897->53902 53899 42f63c 53900 42f644 CreateWindowExA 53899->53900 53900->53893 53901 42f65a ShowWindow 53900->53901 53901->53893 53902->53455 53989 44b524 53903->53989 53905 466eab 53905->53461 53908 455d09 53907->53908 53909 455d16 53908->53909 53910 455d0d 53908->53910 53941 455adc 29 API calls 53909->53941 53933 4559fc 53910->53933 53913 455d13 53913->53879 53914 47d628 53913->53914 53920 47d726 53914->53920 53923 47d665 53914->53923 53915 47d6c9 53916 403420 4 API calls 53915->53916 53917 47d80e 53916->53917 53917->53881 53918 47954c 19 API calls 53918->53920 53920->53915 53920->53918 53924 47d77c 53920->53924 53921 4797f0 4 API calls 53921->53923 53922 47bfd8 43 API calls 53922->53924 53923->53915 53923->53920 53923->53921 53927 47bfd8 43 API calls 53923->53927 53931 47d6d2 53923->53931 53950 47968c 53923->53950 53924->53920 53924->53922 53926 4540ec 20 API calls 53924->53926 53928 47d713 53924->53928 53925 47bfd8 43 API calls 53925->53931 53926->53924 53927->53923 53928->53915 53929 42c93c 5 API calls 53929->53931 53930 42c964 5 API calls 53930->53931 53931->53923 53931->53925 53931->53928 53931->53929 53931->53930 53961 47d334 52 API calls 53931->53961 53934 42de2c RegOpenKeyExA 53933->53934 53935 455a19 53934->53935 53936 455a67 53935->53936 53942 455930 53935->53942 53936->53913 53939 455930 6 API calls 53940 455a48 RegCloseKey 53939->53940 53940->53913 53941->53913 53947 42dd68 53942->53947 53944 403420 4 API calls 53945 4559e2 53944->53945 53945->53939 53946 455958 53946->53944 53948 42dc10 6 API calls 53947->53948 53949 42dd71 53948->53949 53949->53946 53951 4796a2 53950->53951 53952 47969e 53950->53952 53953 403450 4 API calls 53951->53953 53952->53923 53954 4796af 53953->53954 53955 4796b5 53954->53955 53956 4796cf 53954->53956 53957 47954c 19 API calls 53955->53957 53958 47954c 19 API calls 53956->53958 53959 4796cb 53957->53959 53958->53959 53960 403400 4 API calls 53959->53960 53960->53952 53961->53931 53963 403494 4 API calls 53962->53963 53964 466aae 53963->53964 53965 42dbd8 5 API calls 53964->53965 53966 466ac0 53965->53966 53967 42dbd8 5 API calls 53966->53967 53968 466ad2 53967->53968 53969 46696c 19 API calls 53968->53969 53970 466adc 53969->53970 53971 42dbd8 5 API calls 53970->53971 53972 466aeb 53971->53972 53979 4669e4 53972->53979 53975 42dbd8 5 API calls 53976 466b04 53975->53976 53977 403400 4 API calls 53976->53977 53978 466b19 53977->53978 53978->53414 53980 466a04 53979->53980 53981 4078fc 19 API calls 53980->53981 53982 466a4e 53981->53982 53982->53975 53984 4242be 53983->53984 53985 42429e GetWindowTextA 53983->53985 53987 403494 4 API calls 53984->53987 53986 4034e0 4 API calls 53985->53986 53988 4242bc 53986->53988 53987->53988 53988->53899 53992 44b39c 53989->53992 53991 44b537 53991->53905 53993 44b3cf 53992->53993 53994 414af8 4 API calls 53993->53994 53995 44b3e2 53994->53995 53996 44b40f 73E9A570 53995->53996 53997 40357c 4 API calls 53995->53997 54003 41a1f8 53996->54003 53997->53996 54000 44b440 54011 44b0d0 54000->54011 54002 44b454 73E9A480 54002->53991 54004 41a223 54003->54004 54005 41a2bf 54003->54005 54008 403520 4 API calls 54004->54008 54006 403400 4 API calls 54005->54006 54007 41a2d7 SelectObject 54006->54007 54007->54000 54009 41a27b 54008->54009 54010 41a2b3 CreateFontIndirectA 54009->54010 54010->54005 54012 44b0e7 54011->54012 54013 44b17a 54012->54013 54014 44b163 54012->54014 54015 44b0fa 54012->54015 54013->54002 54016 44b173 DrawTextA 54014->54016 54015->54013 54017 402648 4 API calls 54015->54017 54016->54013 54018 44b10b 54017->54018 54019 44b129 MultiByteToWideChar DrawTextW 54018->54019 54020 402660 4 API calls 54019->54020 54021 44b15b 54020->54021 54021->54002 54024 465643 54022->54024 54023 46571e 54033 4673f8 54023->54033 54024->54023 54028 465693 54024->54028 54045 421a2c 54024->54045 54025 4656d6 54025->54023 54051 4185c8 7 API calls 54025->54051 54028->54025 54029 4656cd 54028->54029 54030 4656d8 54028->54030 54031 421a2c 7 API calls 54029->54031 54032 421a2c 7 API calls 54030->54032 54031->54025 54032->54025 54034 467428 54033->54034 54035 467409 54033->54035 54034->53476 54036 414b28 4 API calls 54035->54036 54037 467417 54036->54037 54038 414b28 4 API calls 54037->54038 54038->54034 54040 46b041 54039->54040 54041 421a2c 7 API calls 54040->54041 54042 46b0cc 54041->54042 54042->53499 54043 466ecc 18 API calls 54042->54043 54043->53499 54044->53500 54047 421a84 54045->54047 54050 421a3a 54045->54050 54047->54028 54049 421a69 54049->54047 54060 421d38 SetFocus GetFocus 54049->54060 54050->54049 54052 408cc4 54050->54052 54051->54023 54053 408cd0 54052->54053 54061 406df4 LoadStringA 54053->54061 54056 403450 4 API calls 54057 408d01 54056->54057 54058 403400 4 API calls 54057->54058 54059 408d16 54058->54059 54059->54049 54060->54047 54062 4034e0 4 API calls 54061->54062 54063 406e21 54062->54063 54063->54056 54065 402648 4 API calls 54064->54065 54066 47dc4c 54065->54066 54067 47d628 61 API calls 54066->54067 54068 47dc6b 54067->54068 54069 47dc7f 54068->54069 54080 47da48 54068->54080 54071 47dcab 54069->54071 54073 402660 4 API calls 54069->54073 54072 402660 4 API calls 54071->54072 54074 47dcb5 54072->54074 54073->54069 54074->53504 54075->53529 54076->53524 54081 403494 4 API calls 54080->54081 54096 47da75 54081->54096 54094 42c93c 5 API calls 54094->54096 54096->54094 54099 47dac8 54096->54099 54100 42e8b0 CharNextA 54096->54100 54100->54096 54103 46ca4d 54102->54103 54104 46ca9a 54103->54104 54105 414af8 4 API calls 54103->54105 54107 403420 4 API calls 54104->54107 54106 46ca63 54105->54106 54301 466c90 6 API calls 54106->54301 54109 46cb44 54107->54109 54109->53556 54293 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54109->54293 54110 46ca6b 54111 414b28 4 API calls 54110->54111 54112 46ca79 54111->54112 54113 46ca86 54112->54113 54116 46ca9f 54112->54116 54302 47eadc 42 API calls 54113->54302 54115 46cab7 54303 47eadc 42 API calls 54115->54303 54116->54115 54117 466d74 CharNextA 54116->54117 54119 46cab3 54117->54119 54119->54115 54120 46cacd 54119->54120 54121 46cad3 54120->54121 54122 46cae9 54120->54122 54304 47eadc 42 API calls 54121->54304 54124 42c9ac CharNextA 54122->54124 54125 46caf6 54124->54125 54125->54104 54305 466e00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54125->54305 54127 46cb0d 54128 451444 4 API calls 54127->54128 54129 46cb1a 54128->54129 54306 47eadc 42 API calls 54129->54306 54132 481f8d 54131->54132 54133 481f5f 54131->54133 54135 475dbc 54132->54135 54307 4946bc 18 API calls 54133->54307 54136 457b4c 24 API calls 54135->54136 54137 475e08 54136->54137 54138 4072b0 SetCurrentDirectoryA 54137->54138 54139 475e12 54138->54139 54308 46e5b0 54139->54308 54143 475e22 54294->53564 54301->54110 54302->54104 54303->54104 54304->54104 54305->54127 54306->54104 54307->54132 54309 46e623 54308->54309 54311 46e5cd 54308->54311 54312 46e628 54309->54312 54310 47968c 19 API calls 54310->54311 54311->54309 54311->54310 54313 46e64e 54312->54313 54756 44fb08 54313->54756 54315 46e6aa 54315->54143 54759 44fb1c 54756->54759 54760 44fb2d 54759->54760 54761 44fb19 54760->54761 54762 44fb57 MulDiv 54760->54762 54761->54315 54763 4181f0 54762->54763 54764 44fb82 SendMessageA 54763->54764 54764->54761 56176 498578 56234 403344 56176->56234 56178 498586 56237 4056a0 56178->56237 56180 49858b 56240 406334 GetModuleHandleA GetProcAddress 56180->56240 56186 49859a 56257 410964 56186->56257 56188 49859f 56261 412938 56188->56261 56190 4985a9 56266 419050 GetVersion 56190->56266 56507 4032fc 56234->56507 56236 403349 GetModuleHandleA GetCommandLineA 56236->56178 56239 4056db 56237->56239 56508 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56237->56508 56239->56180 56241 406350 56240->56241 56242 406357 GetProcAddress 56240->56242 56241->56242 56243 406366 56242->56243 56244 40636d GetProcAddress 56242->56244 56243->56244 56245 406380 56244->56245 56246 40637c SetProcessDEPPolicy 56244->56246 56247 409954 56245->56247 56246->56245 56509 40902c 56247->56509 56252 408728 7 API calls 56253 409977 56252->56253 56524 409078 GetVersionExA 56253->56524 56256 409b88 6F9C1CD0 56256->56186 56258 41096e 56257->56258 56259 4109ad GetCurrentThreadId 56258->56259 56260 4109c8 56259->56260 56260->56188 56526 40af0c 56261->56526 56265 412964 56265->56190 56538 41de34 8 API calls 56266->56538 56268 419069 56540 418f48 GetCurrentProcessId 56268->56540 56507->56236 56508->56239 56510 408cc4 5 API calls 56509->56510 56511 40903d 56510->56511 56512 4085e4 GetSystemDefaultLCID 56511->56512 56516 40861a 56512->56516 56513 408570 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 56513->56516 56514 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56514->56516 56515 406df4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56515->56516 56516->56513 56516->56514 56516->56515 56520 40867c 56516->56520 56517 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56517->56520 56518 406df4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56518->56520 56519 408570 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 56519->56520 56520->56517 56520->56518 56520->56519 56521 4086ff 56520->56521 56522 403420 4 API calls 56521->56522 56523 408719 56522->56523 56523->56252 56525 40908f 56524->56525 56525->56256 56527 40af13 56526->56527 56528 40af32 56527->56528 56537 40ae44 19 API calls 56527->56537 56530 41101c 56528->56530 56531 41103e 56530->56531 56532 406df4 5 API calls 56531->56532 56533 403450 4 API calls 56531->56533 56534 41105d 56531->56534 56532->56531 56533->56531 56535 403400 4 API calls 56534->56535 56536 411072 56535->56536 56536->56265 56537->56527 56539 41deae 56538->56539 56539->56268 56556 4078c8 56540->56556 57815 42f530 57816 42f53b 57815->57816 57817 42f53f NtdllDefWindowProc_A 57815->57817 57817->57816 55808 416b52 55809 416bfa 55808->55809 55810 416b6a 55808->55810 55827 41532c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55809->55827 55812 416b84 SendMessageA 55810->55812 55813 416b78 55810->55813 55823 416bd8 55812->55823 55814 416b82 CallWindowProcA 55813->55814 55815 416b9e 55813->55815 55814->55823 55824 41a068 GetSysColor 55815->55824 55818 416ba9 SetTextColor 55819 416bbe 55818->55819 55825 41a068 GetSysColor 55819->55825 55821 416bc3 SetBkColor 55826 41a6f0 GetSysColor CreateBrushIndirect 55821->55826 55824->55818 55825->55821 55826->55823 55827->55823 57818 4358f0 57819 435905 57818->57819 57823 43591f 57819->57823 57824 4352d8 57819->57824 57828 435322 57824->57828 57829 435308 57824->57829 57825 403400 4 API calls 57826 435727 57825->57826 57826->57823 57837 435738 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57826->57837 57827 446db4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57827->57829 57828->57825 57829->57827 57829->57828 57830 402648 4 API calls 57829->57830 57831 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57829->57831 57833 431cb0 4 API calls 57829->57833 57834 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57829->57834 57835 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57829->57835 57838 4343c0 57829->57838 57850 434b84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57829->57850 57830->57829 57831->57829 57833->57829 57834->57829 57835->57829 57837->57823 57839 43447d 57838->57839 57840 4343ed 57838->57840 57869 434320 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57839->57869 57841 403494 4 API calls 57840->57841 57843 4343fb 57841->57843 57844 403778 4 API calls 57843->57844 57848 43441c 57844->57848 57845 403400 4 API calls 57846 4344cd 57845->57846 57846->57829 57847 43446f 57847->57845 57848->57847 57851 494314 57848->57851 57850->57829 57852 49434c 57851->57852 57853 4943e4 57851->57853 57854 403494 4 API calls 57852->57854 57870 448940 57853->57870 57859 494357 57854->57859 57856 494367 57857 403400 4 API calls 57856->57857 57858 494408 57857->57858 57860 403400 4 API calls 57858->57860 57859->57856 57861 4037b8 4 API calls 57859->57861 57862 494410 57860->57862 57863 494380 57861->57863 57862->57848 57863->57856 57864 4037b8 4 API calls 57863->57864 57865 4943a3 57864->57865 57866 403778 4 API calls 57865->57866 57867 4943d4 57866->57867 57868 403634 4 API calls 57867->57868 57868->57853 57869->57847 57871 448965 57870->57871 57881 4489a8 57870->57881 57872 403494 4 API calls 57871->57872 57874 448970 57872->57874 57877 4037b8 4 API calls 57874->57877 57875 4489bc 57876 403400 4 API calls 57875->57876 57878 4489ef 57876->57878 57879 44898c 57877->57879 57878->57856 57880 4037b8 4 API calls 57879->57880 57880->57881 57881->57875 57882 44853c 57881->57882 57883 403494 4 API calls 57882->57883 57884 448572 57883->57884 57885 4037b8 4 API calls 57884->57885 57886 448584 57885->57886 57887 403778 4 API calls 57886->57887 57888 4485a5 57887->57888 57889 4037b8 4 API calls 57888->57889 57890 4485bd 57889->57890 57891 403778 4 API calls 57890->57891 57892 4485e8 57891->57892 57893 4037b8 4 API calls 57892->57893 57895 448600 57893->57895 57894 4486d3 57899 4486db GetProcAddress 57894->57899 57895->57894 57897 44865b LoadLibraryExA 57895->57897 57898 44866d LoadLibraryA 57895->57898 57902 448638 57895->57902 57903 403b80 4 API calls 57895->57903 57904 403450 4 API calls 57895->57904 57906 43da98 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57895->57906 57896 403420 4 API calls 57900 448718 57896->57900 57897->57895 57898->57895 57901 4486ee 57899->57901 57900->57875 57901->57902 57902->57896 57903->57895 57904->57895 57906->57895 57907 40ce34 57910 406f18 WriteFile 57907->57910 57911 406f35 57910->57911 55828 416654 55829 416661 55828->55829 55830 4166bb 55828->55830 55836 416560 CreateWindowExA 55829->55836 55837 4162da 55829->55837 55831 416668 SetPropA SetPropA 55831->55830 55832 41669b 55831->55832 55833 4166ae SetWindowPos 55832->55833 55833->55830 55836->55831 55838 416306 55837->55838 55839 4162e6 GetClassInfoA 55837->55839 55838->55831 55839->55838 55840 4162fa GetClassInfoA 55839->55840 55840->55838 57912 4222f4 57913 422303 57912->57913 57918 421284 57913->57918 57916 422323 57919 4212f3 57918->57919 57933 421293 57918->57933 57922 421304 57919->57922 57943 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 57919->57943 57921 421332 57925 4213a5 57921->57925 57930 42134d 57921->57930 57922->57921 57924 4213ca 57922->57924 57923 4213a3 57926 4213f6 57923->57926 57945 421e3c 11 API calls 57923->57945 57924->57923 57928 4213de SetMenu 57924->57928 57925->57923 57932 4213b9 57925->57932 57946 4211cc 10 API calls 57926->57946 57928->57923 57930->57923 57936 421370 GetMenu 57930->57936 57931 4213fd 57931->57916 57941 4221f8 10 API calls 57931->57941 57935 4213c2 SetMenu 57932->57935 57933->57919 57942 408d34 19 API calls 57933->57942 57935->57923 57937 421393 57936->57937 57938 42137a 57936->57938 57944 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 57937->57944 57940 42138d SetMenu 57938->57940 57940->57937 57941->57916 57942->57933 57943->57922 57944->57923 57945->57926 57946->57931 57947 44b4b8 57948 44b4c6 57947->57948 57950 44b4e5 57947->57950 57949 44b39c 11 API calls 57948->57949 57948->57950 57949->57950 57951 448738 57952 448766 57951->57952 57953 44876d 57951->57953 57955 403400 4 API calls 57952->57955 57954 448781 57953->57954 57956 44853c 7 API calls 57953->57956 57954->57952 57957 403494 4 API calls 57954->57957 57959 448917 57955->57959 57956->57954 57958 44879a 57957->57958 57960 4037b8 4 API calls 57958->57960 57961 4487b6 57960->57961 57962 4037b8 4 API calls 57961->57962 57963 4487d2 57962->57963 57963->57952 57964 4487e6 57963->57964 57965 4037b8 4 API calls 57964->57965 57966 448800 57965->57966 57967 431be0 4 API calls 57966->57967 57968 448822 57967->57968 57969 431cb0 4 API calls 57968->57969 57974 448842 57968->57974 57969->57968 57970 448898 57983 442344 57970->57983 57972 448880 57972->57970 57995 4435e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57972->57995 57974->57972 57994 4435e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57974->57994 57976 4488cc GetLastError 57996 4484d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57976->57996 57978 4488db 57997 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57978->57997 57980 4488f0 57998 443630 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57980->57998 57982 4488f8 57984 443322 57983->57984 57985 44237d 57983->57985 57987 403400 4 API calls 57984->57987 57986 403400 4 API calls 57985->57986 57988 442385 57986->57988 57989 443337 57987->57989 57990 431be0 4 API calls 57988->57990 57989->57976 57991 442391 57990->57991 57992 443312 57991->57992 57999 441a1c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57991->57999 57992->57976 57994->57974 57995->57970 57996->57978 57997->57980 57998->57982 57999->57991 58000 4165fc 73EA5CF0 58001 42e3ff SetErrorMode

                                                                              Executed Functions

                                                                              Function 00470950 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 956COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              • Version of existing file: (none), xrefs: 00470FA2
                                                                              • Time stamp of existing file: (failed to read), xrefs: 00470CDF
                                                                              • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0047113E
                                                                              • @, xrefs: 00470A58
                                                                              • User opted not to overwrite the existing file. Skipping., xrefs: 004710F5
                                                                              • Will register the file (a DLL/OCX) later., xrefs: 004717AD
                                                                              • InUn, xrefs: 004713ED
                                                                              • Non-default bitness: 32-bit, xrefs: 00470B63
                                                                              • Incrementing shared file count (64-bit)., xrefs: 0047181A
                                                                              • Time stamp of our file: %s, xrefs: 00470C43
                                                                              • Time stamp of existing file: %s, xrefs: 00470CD3
                                                                              • Installing the file., xrefs: 004711B1
                                                                              • , xrefs: 00470E77, 00471048, 004710C6
                                                                              • Non-default bitness: 64-bit, xrefs: 00470B57
                                                                              • Skipping due to "onlyifdoesntexist" flag., xrefs: 00470C76
                                                                              • Version of our file: (none), xrefs: 00470DA4
                                                                              • Installing into GAC, xrefs: 004719A2
                                                                              • Existing file has a later time stamp. Skipping., xrefs: 00471077
                                                                              • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470F6C
                                                                              • Time stamp of our file: (failed to read), xrefs: 00470C4F
                                                                              • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470F5D
                                                                              • Uninstaller requires administrator: %s, xrefs: 0047141D
                                                                              • Couldn't read time stamp. Skipping., xrefs: 00470FDD
                                                                              • Dest file exists., xrefs: 00470C63
                                                                              • Skipping due to "onlyifdestfileexists" flag., xrefs: 004711A2
                                                                              • Dest filename: %s, xrefs: 00470B3C
                                                                              • Same version. Skipping., xrefs: 00470F8D
                                                                              • Existing file is a newer version. Skipping., xrefs: 00470EAA
                                                                              • Same time stamp. Skipping., xrefs: 00470FFD
                                                                              • .tmp, xrefs: 0047125F
                                                                              • Version of existing file: %u.%u.%u.%u, xrefs: 00470E24
                                                                              • -- File entry --, xrefs: 004709A3
                                                                              • Failed to strip read-only attribute., xrefs: 0047117B
                                                                              • Dest file is protected by Windows File Protection., xrefs: 00470B95
                                                                              • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470F78
                                                                              • Will register the file (a type library) later., xrefs: 004717A1
                                                                              • Incrementing shared file count (32-bit)., xrefs: 00471833
                                                                              • Version of our file: %u.%u.%u.%u, xrefs: 00470D98
                                                                              • Existing file is protected by Windows File Protection. Skipping., xrefs: 00471094
                                                                              • Stripped read-only attribute., xrefs: 0047116F
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                              • API String ID: 0-4021121268
                                                                              • Opcode ID: 37ba39076e8f210f702745b7d33ab1b6cbc29d83952fc568139b6c082dd49221
                                                                              • Instruction ID: 00dcbbebc37e67597ddb11db3b00c056d98a3663d13b65a1c96947d1bb872b77
                                                                              • Opcode Fuzzy Hash: 37ba39076e8f210f702745b7d33ab1b6cbc29d83952fc568139b6c082dd49221
                                                                              • Instruction Fuzzy Hash: 2C927534A04288DFDB11DFA9C845BDDBBB5AF05304F5480ABE848AB392C7789E45CB59
                                                                              Function 0042E0AC Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1546 42e0ac-42e0bd 1547 42e0c8-42e0ed AllocateAndInitializeSid 1546->1547 1548 42e0bf-42e0c3 1546->1548 1549 42e297-42e29f 1547->1549 1550 42e0f3-42e110 GetVersion 1547->1550 1548->1549 1551 42e112-42e127 GetModuleHandleA GetProcAddress 1550->1551 1552 42e129-42e12b 1550->1552 1551->1552 1553 42e152-42e16c GetCurrentThread OpenThreadToken 1552->1553 1554 42e12d-42e13b CheckTokenMembership 1552->1554 1557 42e1a3-42e1cb GetTokenInformation 1553->1557 1558 42e16e-42e178 GetLastError 1553->1558 1555 42e141-42e14d 1554->1555 1556 42e279-42e28f FreeSid 1554->1556 1555->1556 1559 42e1e6-42e20a call 402648 GetTokenInformation 1557->1559 1560 42e1cd-42e1d5 GetLastError 1557->1560 1561 42e184-42e197 GetCurrentProcess OpenProcessToken 1558->1561 1562 42e17a-42e17f call 4031bc 1558->1562 1573 42e218-42e220 1559->1573 1574 42e20c-42e216 call 4031bc * 2 1559->1574 1560->1559 1564 42e1d7-42e1e1 call 4031bc * 2 1560->1564 1561->1557 1563 42e199-42e19e call 4031bc 1561->1563 1562->1549 1563->1549 1564->1549 1576 42e222-42e223 1573->1576 1577 42e253-42e271 call 402660 CloseHandle 1573->1577 1574->1549 1580 42e225-42e238 EqualSid 1576->1580 1584 42e23a-42e247 1580->1584 1585 42e24f-42e251 1580->1585 1584->1585 1588 42e249-42e24d 1584->1588 1585->1577 1585->1580 1588->1577
                                                                              APIs
                                                                              • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0E6
                                                                              • GetVersion.KERNEL32(00000000,0042E290,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E103
                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E290,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E11C
                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E122
                                                                              • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E290,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E137
                                                                              • FreeSid.ADVAPI32(00000000,0042E297,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E28A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                              • String ID: CheckTokenMembership$advapi32.dll
                                                                              • API String ID: 2252812187-1888249752
                                                                              • Opcode ID: dfa08fd94d7286335d22f987ae6d0bc512a1d03bb366aa7b3c061580d116a88c
                                                                              • Instruction ID: 1c76bb1748f4203a7925b196b2d5623075850b54fd141b793a49aa5c8bf5bf77
                                                                              • Opcode Fuzzy Hash: dfa08fd94d7286335d22f987ae6d0bc512a1d03bb366aa7b3c061580d116a88c
                                                                              • Instruction Fuzzy Hash: 22517571B44615EEEB10EAE6A842BBF7BACDB09304F9404BBB501F7282D57C9904867D
                                                                              Function 004502AC Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 45libraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1610 4502ac-4502b9 1611 4502bf-4502cc GetVersion 1610->1611 1612 450368-450372 1610->1612 1611->1612 1613 4502d2-4502e8 LoadLibraryA 1611->1613 1613->1612 1614 4502ea-450363 GetProcAddress * 6 1613->1614 1614->1612
                                                                              APIs
                                                                              • GetVersion.KERNEL32(00480618), ref: 004502BF
                                                                              • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480618), ref: 004502D7
                                                                              • GetProcAddress.KERNEL32(6FC90000,RmStartSession), ref: 004502F5
                                                                              • GetProcAddress.KERNEL32(6FC90000,RmRegisterResources), ref: 0045030A
                                                                              • GetProcAddress.KERNEL32(6FC90000,RmGetList), ref: 0045031F
                                                                              • GetProcAddress.KERNEL32(6FC90000,RmShutdown), ref: 00450334
                                                                              • GetProcAddress.KERNEL32(6FC90000,RmRestart), ref: 00450349
                                                                              • GetProcAddress.KERNEL32(6FC90000,RmEndSession), ref: 0045035E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoadVersion
                                                                              • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                              • API String ID: 1968650500-3419246398
                                                                              • Opcode ID: e7a86348d8f011b95a06015b0bab06b6210f60d72cb8efa7c77c846e57fe45c9
                                                                              • Instruction ID: 1cbd638475316f18669290cc5db137bdc69b0bbe350ace6e5bf0246856dda450
                                                                              • Opcode Fuzzy Hash: e7a86348d8f011b95a06015b0bab06b6210f60d72cb8efa7c77c846e57fe45c9
                                                                              • Instruction Fuzzy Hash: CC11A5B4541740DBDA10FBA5BB85A2A32E9E72C715B08563BEC44AA1A2DB7C4448CF9C
                                                                              Function 00423C1C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1674 423c1c-423c50 1675 423c52-423c53 1674->1675 1676 423c84-423c9b call 423b78 1674->1676 1678 423c55-423c71 call 40b44c 1675->1678 1681 423cfc-423d01 1676->1681 1682 423c9d 1676->1682 1699 423c73-423c7b 1678->1699 1700 423c80-423c82 1678->1700 1684 423d03 1681->1684 1685 423d37-423d3c 1681->1685 1686 423ca3-423ca6 1682->1686 1687 423d60-423d70 1682->1687 1688 423fc1-423fc9 1684->1688 1689 423d09-423d11 1684->1689 1692 423d42-423d45 1685->1692 1693 4240aa-4240b8 IsIconic 1685->1693 1690 423cd5-423cd8 1686->1690 1691 423ca8 1686->1691 1694 423d72-423d77 1687->1694 1695 423d7b-423d83 call 4241a4 1687->1695 1704 424162-42416a 1688->1704 1710 423fcf-423fda call 4181f0 1688->1710 1702 423f23-423f4a SendMessageA 1689->1702 1703 423d17-423d1c 1689->1703 1711 423db9-423dc0 1690->1711 1712 423cde-423cdf 1690->1712 1706 423e06-423e16 call 423b94 1691->1706 1707 423cae-423cb1 1691->1707 1708 4240e6-4240fb call 424860 1692->1708 1709 423d4b-423d4c 1692->1709 1693->1704 1705 4240be-4240c9 GetFocus 1693->1705 1697 423d88-423d90 call 4241ec 1694->1697 1698 423d79-423d9c call 423b94 1694->1698 1695->1704 1697->1704 1698->1704 1714 424181-424187 1699->1714 1700->1676 1700->1678 1702->1704 1725 423d22-423d23 1703->1725 1726 42405a-424065 1703->1726 1704->1714 1705->1704 1717 4240cf-4240d8 call 41f004 1705->1717 1706->1704 1718 423cb7-423cba 1707->1718 1719 423e2e-423e4a PostMessageA call 423b94 1707->1719 1708->1704 1728 423d52-423d55 1709->1728 1729 4240fd-424104 1709->1729 1710->1704 1761 423fe0-423fef call 4181f0 IsWindowEnabled 1710->1761 1711->1704 1722 423dc6-423dcd 1711->1722 1723 423ce5-423ce8 1712->1723 1724 423f4f-423f56 1712->1724 1717->1704 1773 4240de-4240e4 SetFocus 1717->1773 1735 423cc0-423cc3 1718->1735 1736 423eb5-423ebc 1718->1736 1719->1704 1722->1704 1741 423dd3-423dd9 1722->1741 1742 423cee-423cf1 1723->1742 1743 423e4f-423e6f call 423b94 1723->1743 1724->1704 1731 423f5c-423f61 call 404e54 1724->1731 1744 424082-42408d 1725->1744 1745 423d29-423d2c 1725->1745 1726->1704 1747 42406b-42407d 1726->1747 1748 424130-424137 1728->1748 1749 423d5b 1728->1749 1738 424106-424119 call 4244e4 1729->1738 1739 42411b-42412e call 42453c 1729->1739 1731->1704 1756 423cc9-423cca 1735->1756 1757 423dde-423dec IsIconic 1735->1757 1758 423ebe-423ed1 call 423b24 1736->1758 1759 423eef-423f00 call 423b94 1736->1759 1738->1704 1739->1704 1741->1704 1762 423cf7 1742->1762 1763 423e1b-423e29 call 424188 1742->1763 1788 423e93-423eb0 call 423a94 PostMessageA 1743->1788 1789 423e71-423e8e call 423b24 PostMessageA 1743->1789 1744->1704 1750 424093-4240a5 1744->1750 1767 423d32 1745->1767 1768 423f66-423f6e 1745->1768 1747->1704 1765 42414a-424159 1748->1765 1766 424139-424148 1748->1766 1769 42415b-42415c call 423b94 1749->1769 1750->1704 1774 423cd0 1756->1774 1775 423da1-423da9 1756->1775 1781 423dfa-423e01 call 423b94 1757->1781 1782 423dee-423df5 call 423bd0 1757->1782 1803 423ee3-423eea call 423b94 1758->1803 1804 423ed3-423edd call 41ef68 1758->1804 1808 423f02-423f08 call 41eeb4 1759->1808 1809 423f16-423f1e call 423a94 1759->1809 1761->1704 1805 423ff5-424004 call 4181f0 IsWindowVisible 1761->1805 1762->1769 1763->1704 1765->1704 1766->1704 1767->1769 1768->1704 1772 423f74-423f7b 1768->1772 1797 424161 1769->1797 1772->1704 1790 423f81-423f90 call 4181f0 IsWindowEnabled 1772->1790 1773->1704 1774->1769 1775->1704 1791 423daf-423db4 call 422c5c 1775->1791 1781->1704 1782->1704 1788->1704 1789->1704 1790->1704 1819 423f96-423fac call 412320 1790->1819 1791->1704 1797->1704 1803->1704 1804->1803 1805->1704 1826 42400a-424055 GetFocus call 4181f0 SetFocus call 415250 SetFocus 1805->1826 1823 423f0d-423f10 1808->1823 1809->1704 1819->1704 1829 423fb2-423fbc 1819->1829 1823->1809 1826->1704 1829->1704
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8e2e69a12e9eff459782c0c50b644f6d48cf10d105da74f526d2b860ae1f2e99
                                                                              • Instruction ID: adb1057a9d0d7329e5210459a6b6756db00cf693e958207d3a560887342e2c6b
                                                                              • Opcode Fuzzy Hash: 8e2e69a12e9eff459782c0c50b644f6d48cf10d105da74f526d2b860ae1f2e99
                                                                              • Instruction Fuzzy Hash: EBE1A230700125EFD704EF69E989A6EB7B5EF94304F9480A6E545AB352C73CEE81DB08
                                                                              Function 00467710 Relevance: 15.6, APIs: 4, Strings: 4, Instructions: 1649windowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1989 467710-467726 1990 467730-4677e7 call 49514c call 402b30 * 6 1989->1990 1991 467728-46772b call 402d30 1989->1991 2008 467824-46783d 1990->2008 2009 4677e9-467810 call 41464c 1990->2009 1991->1990 2015 46783f-467866 call 41462c 2008->2015 2016 46787a-467888 call 495454 2008->2016 2013 467815-46781f call 41460c 2009->2013 2014 467812 2009->2014 2013->2008 2014->2013 2022 46786b-467875 call 4145ec 2015->2022 2023 467868 2015->2023 2024 46788a-467899 call 49529c 2016->2024 2025 46789b-46789d call 4953c0 2016->2025 2022->2016 2023->2022 2030 4678a2-4678f5 call 494db0 call 41a3e0 * 2 2024->2030 2025->2030 2037 467906-46791b call 451444 call 414b28 2030->2037 2038 4678f7-467904 call 414b28 2030->2038 2043 467920-467927 2037->2043 2038->2043 2045 46796f-467df5 call 4951ec call 495510 call 41462c * 3 call 4146cc call 4145ec * 3 call 460f68 call 460f80 call 460f8c call 460fd4 call 460f68 call 460f80 call 460f8c call 460fd4 call 460f80 call 460fd4 LoadBitmapA call 41d6c0 call 460fa4 call 460fbc call 4674ec call 469000 call 466b6c call 40357c call 414b28 call 466ea4 call 466eac call 466b6c call 40357c * 2 call 414b28 call 469000 call 466b6c call 414b28 call 466ea4 call 466eac call 414b28 * 2 call 469000 call 414b28 * 2 call 466ea4 call 41460c call 466ea4 call 41460c call 469000 call 414b28 call 466ea4 call 466eac call 469000 call 414b28 call 466ea4 call 41460c * 2 call 414b28 call 466ea4 call 41460c 2043->2045 2046 467929-46796a call 4146cc call 414710 call 420fa8 call 420fd4 call 420b78 call 420ba4 2043->2046 2176 467df7-467e4f call 41460c call 414b28 call 466ea4 call 41460c 2045->2176 2177 467e51-467e6a call 414a54 * 2 2045->2177 2046->2045 2185 467e6f-467f20 call 466b6c call 469000 call 466b6c call 414b28 call 495510 call 466ea4 2176->2185 2177->2185 2203 467f22-467f3d 2185->2203 2204 467f5a-468190 call 466b6c call 414b28 call 495520 * 2 call 42e8d0 call 41460c call 466ea4 call 41460c call 4181f0 call 42ed48 call 414b28 call 4951ec call 495510 call 41462c call 466b6c call 414b28 call 466ea4 call 41460c call 466b6c call 469000 call 466b6c call 414b28 call 466ea4 call 41460c call 466eac call 466b6c call 414b28 call 466ea4 2185->2204 2205 467f42-467f55 call 41460c 2203->2205 2206 467f3f 2203->2206 2265 468192-46819b 2204->2265 2266 4681d1-46828a call 466b6c call 469000 call 466b6c call 414b28 call 495510 call 466ea4 2204->2266 2205->2204 2206->2205 2265->2266 2267 46819d-4681cc call 414a54 call 466eac 2265->2267 2284 4682c4-4686e5 call 466b6c call 414b28 call 495520 * 2 call 42e8d0 call 41460c call 466ea4 call 41460c call 414b28 call 4951ec call 495510 call 41462c call 414b28 call 466b6c call 469000 call 466b6c call 414b28 call 466ea4 call 466eac call 42bbe0 call 495520 call 44e8c0 call 466b6c call 469000 call 466b6c call 469000 call 466b6c call 469000 * 2 call 414b28 call 466ea4 call 466eac call 469000 call 494db0 call 41a3e0 call 466b6c call 40357c call 414b28 call 466ea4 call 41460c call 414b28 * 2 call 495520 call 403494 call 40357c * 2 call 414b28 2266->2284 2285 46828c-4682a7 2266->2285 2267->2266 2384 4686e7-468704 call 44ffc8 call 450124 2284->2384 2385 468709-468710 2284->2385 2287 4682ac-4682bf call 41460c 2285->2287 2288 4682a9 2285->2288 2287->2284 2288->2287 2384->2385 2387 468734-46873b 2385->2387 2388 468712-46872f call 44ffc8 call 450124 2385->2388 2391 46875f-4687a5 call 4181f0 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 4690f4 2387->2391 2392 46873d-46875a call 44ffc8 call 450124 2387->2392 2388->2387 2405 4687a7-4687ae 2391->2405 2406 4687bf 2391->2406 2392->2391 2407 4687b0-4687b9 2405->2407 2408 4687bb-4687bd 2405->2408 2409 4687c1-4687d0 2406->2409 2407->2406 2407->2408 2408->2409 2410 4687d2-4687d9 2409->2410 2411 4687ea 2409->2411 2413 4687e6-4687e8 2410->2413 2414 4687db-4687e4 2410->2414 2412 4687ec-468806 2411->2412 2415 4688af-4688b6 2412->2415 2416 46880c-468815 2412->2416 2413->2412 2414->2411 2414->2413 2419 4688bc-4688df call 47bfd8 call 403450 2415->2419 2420 468949-468957 call 414b28 2415->2420 2417 468817-46886e call 47bfd8 call 414b28 call 47bfd8 call 414b28 call 47bfd8 call 414b28 2416->2417 2418 468870-4688aa call 414b28 * 3 2416->2418 2417->2415 2418->2415 2443 4688f0-468904 call 403494 2419->2443 2444 4688e1-4688ee call 47c178 2419->2444 2428 46895c-468965 2420->2428 2432 468a75-468aa4 call 42b97c call 44e84c 2428->2432 2433 46896b-468983 call 429fe8 2428->2433 2462 468b52-468b56 2432->2462 2463 468aaa-468aae 2432->2463 2445 468985-468989 2433->2445 2446 4689fa-4689fe 2433->2446 2458 468916-468947 call 42c814 call 42cbd0 call 403494 call 414b28 2443->2458 2459 468906-468911 call 403494 2443->2459 2444->2458 2454 46898b-4689c5 call 40b44c call 47bfd8 2445->2454 2452 468a00-468a09 2446->2452 2453 468a4e-468a52 2446->2453 2452->2453 2460 468a0b-468a16 2452->2460 2465 468a66-468a70 call 42a06c 2453->2465 2466 468a54-468a64 call 42a06c 2453->2466 2519 4689c7-4689ce 2454->2519 2520 4689f4-4689f8 2454->2520 2458->2428 2459->2458 2460->2453 2470 468a18-468a1c 2460->2470 2473 468bd5-468bd9 2462->2473 2474 468b58-468b5f 2462->2474 2472 468ab0-468ac2 call 40b44c 2463->2472 2465->2432 2466->2432 2478 468a1e-468a41 call 40b44c call 406acc 2470->2478 2497 468af4-468b2b call 47bfd8 call 44cb1c 2472->2497 2498 468ac4-468af2 call 47bfd8 call 44cbec 2472->2498 2481 468c42-468c4b 2473->2481 2482 468bdb-468bf2 call 40b44c 2473->2482 2474->2473 2483 468b61-468b68 2474->2483 2529 468a43-468a46 2478->2529 2530 468a48-468a4c 2478->2530 2490 468c4d-468c65 call 40b44c call 469d68 2481->2490 2491 468c6a-468c7f call 46724c call 466fc8 2481->2491 2511 468bf4-468c30 call 40b44c call 469d68 * 2 call 469c08 2482->2511 2512 468c32-468c40 call 469d68 2482->2512 2483->2473 2493 468b6a-468b75 2483->2493 2490->2491 2538 468cd1-468cdb call 414a54 2491->2538 2539 468c81-468ca4 call 42a050 call 40b44c 2491->2539 2493->2491 2501 468b7b-468b7f 2493->2501 2540 468b30-468b34 2497->2540 2498->2540 2513 468b81-468b97 call 40b44c 2501->2513 2511->2491 2512->2491 2536 468bca-468bce 2513->2536 2537 468b99-468bc5 call 42a06c call 469d68 call 469c08 2513->2537 2519->2520 2531 4689d0-4689e2 call 406acc 2519->2531 2520->2446 2520->2454 2529->2453 2530->2453 2530->2478 2531->2520 2557 4689e4-4689ee 2531->2557 2536->2513 2550 468bd0 2536->2550 2537->2491 2552 468ce0-468cff call 414a54 2538->2552 2571 468ca6-468cad 2539->2571 2572 468caf-468cbe call 414a54 2539->2572 2548 468b36-468b3d 2540->2548 2549 468b3f-468b41 2540->2549 2548->2549 2556 468b48-468b4c 2548->2556 2549->2556 2550->2491 2567 468d01-468d24 call 42a050 call 469ec8 2552->2567 2568 468d29-468d4c call 47bfd8 call 403450 2552->2568 2556->2462 2556->2472 2557->2520 2562 4689f0 2557->2562 2562->2520 2567->2568 2586 468d4e-468d57 2568->2586 2587 468d68-468d71 2568->2587 2571->2572 2576 468cc0-468ccf call 414a54 2571->2576 2572->2552 2576->2552 2586->2587 2590 468d59-468d66 call 47c178 2586->2590 2588 468d87-468d97 call 403494 2587->2588 2589 468d73-468d85 call 403684 2587->2589 2597 468da9-468dc0 call 414b28 2588->2597 2589->2588 2598 468d99-468da4 call 403494 2589->2598 2590->2597 2602 468df6-468e00 call 414a54 2597->2602 2603 468dc2-468dc9 2597->2603 2598->2597 2608 468e05-468e2a call 403400 * 3 2602->2608 2605 468dd6-468de0 call 42b0f4 2603->2605 2606 468dcb-468dd4 2603->2606 2609 468de5-468df4 call 414a54 2605->2609 2606->2605 2606->2609 2609->2608
                                                                              APIs
                                                                                • Part of subcall function 0049529C: GetWindowRect.USER32(00000000), ref: 004952B2
                                                                              • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467ADF
                                                                                • Part of subcall function 0041D6C0: GetObjectA.GDI32(?,00000018,00467AF9), ref: 0041D6EB
                                                                                • Part of subcall function 004674EC: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046758F
                                                                                • Part of subcall function 004674EC: ExtractIconA.SHELL32(00400000,00000000,?), ref: 004675B5
                                                                                • Part of subcall function 004674EC: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 0046760C
                                                                                • Part of subcall function 00466EAC: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467B94,00000000,00000000,00000000,0000000C,00000000), ref: 00466EC4
                                                                                • Part of subcall function 00495520: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 0049552A
                                                                                • Part of subcall function 0042ED48: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDB8
                                                                                • Part of subcall function 0042ED48: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDD5
                                                                                • Part of subcall function 004951EC: 73E9A570.USER32(00000000,?,?,?), ref: 0049520E
                                                                                • Part of subcall function 004951EC: SelectObject.GDI32(?,00000000), ref: 00495234
                                                                                • Part of subcall function 004951EC: 73E9A480.USER32(00000000,?,00495292,0049528B,?,00000000,?,?,?), ref: 00495285
                                                                                • Part of subcall function 00495510: MulDiv.KERNEL32(0000004B,?,00000006), ref: 0049551A
                                                                              • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,02129D8C,0212B978,?,?,0212B9A8,?,?,0212B9F8,?), ref: 00468769
                                                                              • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046877A
                                                                              • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468792
                                                                                • Part of subcall function 0042A06C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A082
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$AppendExtractIconObject$A480A570AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectSelectSendSystemUserWindow
                                                                              • String ID: $(Default)$STOPIMAGE$k H
                                                                              • API String ID: 3271511185-4041106330
                                                                              • Opcode ID: 8c5f56ff46f7a67da8681be0a4bf9e1c58ad281b7cd8555ea36c903984038836
                                                                              • Instruction ID: 2b4e5e33b1fbe28ecfb2af168a793b611adbc31a6fcb8730d9662ddd01b2079a
                                                                              • Opcode Fuzzy Hash: 8c5f56ff46f7a67da8681be0a4bf9e1c58ad281b7cd8555ea36c903984038836
                                                                              • Instruction Fuzzy Hash: 6CF2C7386005208FCB00EB59D9D9F9973F5BF49304F1582BAF5049B36ADB74AC46CB9A
                                                                              Function 004751F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00475362,?,?,0049C1D0,00000000), ref: 00475251
                                                                              • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00475362,?,?,0049C1D0,00000000), ref: 0047532E
                                                                              • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00475362,?,?,0049C1D0,00000000), ref: 0047533C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseFirstNext
                                                                              • String ID: unins$unins???.*
                                                                              • API String ID: 3541575487-1009660736
                                                                              • Opcode ID: a837fad0235e4b9e7aba6803d3a4e161a7614f9d7543318200369ea6c4804c70
                                                                              • Instruction ID: 9ba6e551af2be01ae54f2bf6d4feb37662207b66b60327addd096aea054bc42d
                                                                              • Opcode Fuzzy Hash: a837fad0235e4b9e7aba6803d3a4e161a7614f9d7543318200369ea6c4804c70
                                                                              • Instruction Fuzzy Hash: 333153706005489FDB10EB65D981ADE77B9EF44344F5080F6A80CAB3B2DBB89F418B58
                                                                              Function 00452A4C Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AAF,?,?,-00000001,00000000), ref: 00452A89
                                                                              • GetLastError.KERNEL32(00000000,?,00000000,00452AAF,?,?,-00000001,00000000), ref: 00452A91
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileFindFirstLast
                                                                              • String ID:
                                                                              • API String ID: 873889042-0
                                                                              • Opcode ID: 8734e5af750e444322e05c8d8760e218afcb813f3cdff8847798d95c72a82f1b
                                                                              • Instruction ID: 2517da8cadb6fb7e7a3bde91136fc32a544ec95f0d2c756002249f4fd287b9db
                                                                              • Opcode Fuzzy Hash: 8734e5af750e444322e05c8d8760e218afcb813f3cdff8847798d95c72a82f1b
                                                                              • Instruction Fuzzy Hash: B9F0F971A04604AB8B20DBA69D0149EB7ACEB46725710467BFC14E3292EAB94E048558
                                                                              Function 0046E38C Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetVersion.KERNEL32(?,0046E422), ref: 0046E396
                                                                              • CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,?,0046E422), ref: 0046E3B2
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInstanceVersion
                                                                              • String ID:
                                                                              • API String ID: 1462612201-0
                                                                              • Opcode ID: 8ad8c01d14ab9cfbb68706b1f8329e070a5efeb3acbbf88c6fea7131f03e9687
                                                                              • Instruction ID: ca204bcfc643a6eeda20b237376823326e775e7ff9cf44b6f5c5a065e078b710
                                                                              • Opcode Fuzzy Hash: 8ad8c01d14ab9cfbb68706b1f8329e070a5efeb3acbbf88c6fea7131f03e9687
                                                                              • Instruction Fuzzy Hash: 80F0A035282200DEEB1097AADC45B4A37C1BB20718F40007BF440D7391E3FDD8908A5F
                                                                              Function 00408570 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID:
                                                                              • API String ID: 2299586839-0
                                                                              • Opcode ID: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
                                                                              • Instruction ID: d3b8e551ebd18b966166ca098383beb9494d3946d3c482517005b7019d2e894c
                                                                              • Opcode Fuzzy Hash: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
                                                                              • Instruction Fuzzy Hash: EEE0D87170021467D711A95A9C869F7B35CA758314F00427FB949EB3C2EDB8DE8046ED
                                                                              Function 00423B94 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424161,?,00000000,0042416C), ref: 00423BBE
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: f802b11f0c681854f79c5f1da5c1baf03ca951e6abaa2e26ef8ced90cdb9169e
                                                                              • Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
                                                                              • Opcode Fuzzy Hash: f802b11f0c681854f79c5f1da5c1baf03ca951e6abaa2e26ef8ced90cdb9169e
                                                                              • Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94
                                                                              Function 00455588 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: NameUser
                                                                              • String ID:
                                                                              • API String ID: 2645101109-0
                                                                              • Opcode ID: cd9d261bbe345dbfbc1978f69ea3c80f8509ceaa1a51dcff4dfe5a18c54a8916
                                                                              • Instruction ID: 445fb77b721d6e8bc33303137c5d79e403f1e24c04085a252f4bbff9531eb306
                                                                              • Opcode Fuzzy Hash: cd9d261bbe345dbfbc1978f69ea3c80f8509ceaa1a51dcff4dfe5a18c54a8916
                                                                              • Instruction Fuzzy Hash: 6AD0C271304704A3C700AAA99C825AA35DD8B84315F00483F3CC6DA3C3FABDDA481696
                                                                              Function 0042F530 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F54C
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: 333668ea2a957bd6a9fe502da343e78d2fcb082c63b96445e07994a194d2f0c0
                                                                              • Instruction ID: 55aff4e3ab0814f5b97a0c0db1ec4da333d3f7c11773d115dc143ade784a7ab4
                                                                              • Opcode Fuzzy Hash: 333668ea2a957bd6a9fe502da343e78d2fcb082c63b96445e07994a194d2f0c0
                                                                              • Instruction Fuzzy Hash: BAD05E7120010C7B9B00DE9CE840C6B33BC9B88700BA08825F918C7202C634ED5187A8
                                                                              Function 0046F300 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 500registryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 406 46f300-46f332 407 46f334-46f33b 406->407 408 46f34f 406->408 409 46f346-46f34d 407->409 410 46f33d-46f344 407->410 411 46f356-46f38e call 403634 call 403738 call 42ded0 408->411 409->411 410->408 410->409 418 46f390-46f3a4 call 403738 call 42ded0 411->418 419 46f3a9-46f3d2 call 403738 call 42ddf4 411->419 418->419 427 46f3d4-46f3dd call 46efd0 419->427 428 46f3e2-46f40b call 46f0ec 419->428 427->428 432 46f41d-46f420 call 403400 428->432 433 46f40d-46f41b call 403494 428->433 437 46f425-46f470 call 46f0ec call 42c40c call 46f134 call 46f0ec 432->437 433->437 446 46f486-46f4a7 call 455588 call 46f0ec 437->446 447 46f472-46f485 call 46f15c 437->447 454 46f4fd-46f504 446->454 455 46f4a9-46f4fc call 46f0ec call 431414 call 46f0ec call 431414 call 46f0ec 446->455 447->446 456 46f506-46f543 call 431414 call 46f0ec call 431414 call 46f0ec 454->456 457 46f544-46f54b 454->457 455->454 456->457 460 46f58c-46f5b1 call 40b44c call 46f0ec 457->460 461 46f54d-46f58b call 46f0ec * 3 457->461 479 46f5b3-46f5be call 47bfd8 460->479 480 46f5c0-46f5c9 call 403494 460->480 461->460 491 46f5ce-46f5d9 call 478d20 479->491 480->491 496 46f5e2 491->496 497 46f5db-46f5e0 491->497 498 46f5e7-46f7b1 call 403778 call 46f0ec call 47bfd8 call 46f134 call 403494 call 40357c * 2 call 46f0ec call 403494 call 40357c * 2 call 46f0ec call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 496->498 497->498 561 46f7c7-46f7d5 call 46f15c 498->561 562 46f7b3-46f7c5 call 46f0ec 498->562 566 46f7da 561->566 567 46f7db-46f824 call 46f15c call 46f190 call 46f0ec call 47bfd8 call 46f1f4 562->567 566->567 578 46f826-46f849 call 46f15c * 2 567->578 579 46f84a-46f857 567->579 578->579 580 46f926-46f92d 579->580 581 46f85d-46f864 579->581 585 46f987-46f99d RegCloseKey 580->585 586 46f92f-46f965 call 4946bc 580->586 583 46f866-46f86d 581->583 584 46f8d1-46f8e0 581->584 583->584 589 46f86f-46f893 call 430bdc 583->589 588 46f8e3-46f8f0 584->588 586->585 592 46f907-46f920 call 430c18 call 46f15c 588->592 593 46f8f2-46f8ff 588->593 589->588 601 46f895-46f896 589->601 604 46f925 592->604 593->592 597 46f901-46f905 593->597 597->580 597->592 603 46f898-46f8be call 40b44c call 47954c 601->603 609 46f8c0-46f8c6 call 430bdc 603->609 610 46f8cb-46f8cd 603->610 604->580 609->610 610->603 612 46f8cf 610->612 612->588
                                                                              APIs
                                                                                • Part of subcall function 0046F0EC: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,004763FA,?,0049C1D0,?,0046F403,?,00000000,0046F99E,?,_is1), ref: 0046F10F
                                                                                • Part of subcall function 0046F15C: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F7DA,?,?,00000000,0046F99E,?,_is1,?), ref: 0046F16F
                                                                              • RegCloseKey.ADVAPI32(?,0046F9A5,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F9F0,?,?,0049C1D0,00000000), ref: 0046F998
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Value$Close
                                                                              • String ID: " /SILENT$5.5.0 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                              • API String ID: 3391052094-1769338133
                                                                              • Opcode ID: 67f6315d958a58f45cb4284f97db66795a1d98a02650a50bcbb58ac39832d899
                                                                              • Instruction ID: 138fe2a8aa43a8f2517aa1aee13eacc10811dc4b0cf032f1bf39601b5d09dcc5
                                                                              • Opcode Fuzzy Hash: 67f6315d958a58f45cb4284f97db66795a1d98a02650a50bcbb58ac39832d899
                                                                              • Instruction Fuzzy Hash: 96126331A001089BCB04EB55F891ADE77F5FB49304F60807BE841AB396EB79BD49CB59
                                                                              Function 00492208 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1027 492208-49223c call 403684 1030 49223e-49224d call 446fac Sleep 1027->1030 1031 492252-49225f call 403684 1027->1031 1036 4926e2-4926fc call 403420 1030->1036 1037 49228e-49229b call 403684 1031->1037 1038 492261-492284 call 447008 call 403738 FindWindowA call 447288 1031->1038 1046 4922ca-4922d7 call 403684 1037->1046 1047 49229d-4922c5 call 447008 call 403738 FindWindowA call 447288 1037->1047 1056 492289 1038->1056 1054 4922d9-49231b call 446fac * 4 SendMessageA call 447288 1046->1054 1055 492320-49232d call 403684 1046->1055 1047->1036 1054->1036 1064 49237c-492389 call 403684 1055->1064 1065 49232f-492377 call 446fac * 4 PostMessageA call 4470e0 1055->1065 1056->1036 1076 4923d8-4923e5 call 403684 1064->1076 1077 49238b-4923d3 call 446fac * 4 SendNotifyMessageA call 4470e0 1064->1077 1065->1036 1089 492412-49241f call 403684 1076->1089 1090 4923e7-49240d call 447008 call 403738 RegisterClipboardFormatA call 447288 1076->1090 1077->1036 1102 492421-49245b call 446fac * 3 SendMessageA call 447288 1089->1102 1103 492460-49246d call 403684 1089->1103 1090->1036 1102->1036 1115 49246f-4924af call 446fac * 3 PostMessageA call 4470e0 1103->1115 1116 4924b4-4924c1 call 403684 1103->1116 1115->1036 1128 492508-492515 call 403684 1116->1128 1129 4924c3-492503 call 446fac * 3 SendNotifyMessageA call 4470e0 1116->1129 1140 49256a-492577 call 403684 1128->1140 1141 492517-492535 call 447008 call 42e3a4 1128->1141 1129->1036 1151 492579-4925a5 call 447008 call 403738 call 446fac GetProcAddress 1140->1151 1152 4925f1-4925fe call 403684 1140->1152 1158 492547-492555 GetLastError call 447288 1141->1158 1159 492537-492545 call 447288 1141->1159 1183 4925e1-4925ec call 4470e0 1151->1183 1184 4925a7-4925dc call 446fac * 2 call 447288 call 4470e0 1151->1184 1164 492600-492621 call 446fac FreeLibrary call 4470e0 1152->1164 1165 492626-492633 call 403684 1152->1165 1170 49255a-492565 call 447288 1158->1170 1159->1170 1164->1036 1180 492658-492665 call 403684 1165->1180 1181 492635-492653 call 447008 call 403738 CreateMutexA 1165->1181 1170->1036 1191 49269b-4926a8 call 403684 1180->1191 1192 492667-492699 call 48c638 call 403574 call 403738 OemToCharBuffA call 48c650 1180->1192 1181->1036 1183->1036 1184->1036 1204 4926aa-4926dc call 48c638 call 403574 call 403738 CharToOemBuffA call 48c650 1191->1204 1205 4926de 1191->1205 1192->1036 1204->1036 1205->1036
                                                                              APIs
                                                                              • Sleep.KERNEL32(00000000,00000000,004926FD,?,?,?,?,00000000,00000000,00000000), ref: 00492248
                                                                              • FindWindowA.USER32(00000000,00000000), ref: 00492279
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: FindSleepWindow
                                                                              • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                              • API String ID: 3078808852-3310373309
                                                                              • Opcode ID: c1ec15085ba63eb54c7011cdac0519612329d97296155b19e28ce0d5a23e6700
                                                                              • Instruction ID: d4b9d66e752ac066ee841e8e0b6dcdad2790022369f15f3c2d7e05b7c0e56f01
                                                                              • Opcode Fuzzy Hash: c1ec15085ba63eb54c7011cdac0519612329d97296155b19e28ce0d5a23e6700
                                                                              • Instruction Fuzzy Hash: 7BC18360B042003BDB14BE3E8D4651F599AAF98704B21DA3FB446EB78BDE7DDC0A4359
                                                                              Function 004834FC Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1589 4834fc-483521 GetModuleHandleA GetProcAddress 1590 483588-48358d GetSystemInfo 1589->1590 1591 483523-483539 GetNativeSystemInfo GetProcAddress 1589->1591 1592 483592-48359b 1590->1592 1591->1592 1593 48353b-483546 GetCurrentProcess 1591->1593 1594 4835ab-4835b2 1592->1594 1595 48359d-4835a1 1592->1595 1593->1592 1602 483548-48354c 1593->1602 1598 4835cd-4835d2 1594->1598 1596 4835a3-4835a7 1595->1596 1597 4835b4-4835bb 1595->1597 1600 4835a9-4835c6 1596->1600 1601 4835bd-4835c4 1596->1601 1597->1598 1600->1598 1601->1598 1602->1592 1604 48354e-483555 call 452708 1602->1604 1604->1592 1607 483557-483564 GetProcAddress 1604->1607 1607->1592 1608 483566-48357d GetModuleHandleA GetProcAddress 1607->1608 1608->1592 1609 48357f-483586 1608->1609 1609->1592
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0048350D
                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0048351A
                                                                              • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483528
                                                                              • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483530
                                                                              • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 0048353C
                                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 0048355D
                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483570
                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483576
                                                                              • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0048358D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                              • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                              • API String ID: 2230631259-2623177817
                                                                              • Opcode ID: 902794c9b05e674b3c8cbfb7d2ebb6c35b92e2ba612f62c852d4d82e66413226
                                                                              • Instruction ID: aef9cc714e700b71c16e3c25fef244724f393c0ebf8792b51c17ae6c670cb8ad
                                                                              • Opcode Fuzzy Hash: 902794c9b05e674b3c8cbfb7d2ebb6c35b92e2ba612f62c852d4d82e66413226
                                                                              • Instruction Fuzzy Hash: 3C11B181104341B4DA22BB799C4AB7FA5C88B14F1EF084C3B6C41662C2DBBCCF45972E
                                                                              Function 004690F4 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1615 4690f4-46912c call 47bfd8 1618 469132-469142 call 478d40 1615->1618 1619 46930e-469328 call 403420 1615->1619 1624 469147-46918c call 4078fc call 403738 call 42de2c 1618->1624 1630 469191-469193 1624->1630 1631 469304-469308 1630->1631 1632 469199-4691ae 1630->1632 1631->1619 1631->1624 1633 4691c3-4691ca 1632->1633 1634 4691b0-4691be call 42dd5c 1632->1634 1635 4691f7-4691fe 1633->1635 1636 4691cc-4691ee call 42dd5c call 42dd74 1633->1636 1634->1633 1639 469257-46925e 1635->1639 1640 469200-469225 call 42dd5c * 2 1635->1640 1636->1635 1655 4691f0 1636->1655 1642 4692a4-4692ab 1639->1642 1643 469260-469272 call 42dd5c 1639->1643 1662 469227-469230 call 431508 1640->1662 1663 469235-469247 call 42dd5c 1640->1663 1648 4692e6-4692fc RegCloseKey 1642->1648 1649 4692ad-4692e1 call 42dd5c * 3 1642->1649 1656 469274-46927d call 431508 1643->1656 1657 469282-469294 call 42dd5c 1643->1657 1649->1648 1655->1635 1656->1657 1657->1642 1670 469296-46929f call 431508 1657->1670 1662->1663 1663->1639 1671 469249-469252 call 431508 1663->1671 1670->1642 1671->1639
                                                                              APIs
                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                              • RegCloseKey.ADVAPI32(?,0046930E,?,?,00000001,00000000,00000000,00469329,?,00000000,00000000,?), ref: 004692F7
                                                                              Strings
                                                                              • Inno Setup: Icon Group, xrefs: 004691D2
                                                                              • Inno Setup: Selected Components, xrefs: 00469216
                                                                              • %s\%s_is1, xrefs: 00469171
                                                                              • Inno Setup: User Info: Name, xrefs: 004692B3
                                                                              • Inno Setup: No Icons, xrefs: 004691DF
                                                                              • Inno Setup: App Path, xrefs: 004691B6
                                                                              • Inno Setup: Setup Type, xrefs: 00469206
                                                                              • Inno Setup: Deselected Components, xrefs: 00469238
                                                                              • Inno Setup: User Info: Organization, xrefs: 004692C6
                                                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00469153
                                                                              • Inno Setup: Deselected Tasks, xrefs: 00469285
                                                                              • Inno Setup: Selected Tasks, xrefs: 00469263
                                                                              • Inno Setup: User Info: Serial, xrefs: 004692D9
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                              • API String ID: 47109696-1093091907
                                                                              • Opcode ID: 25db79955295e6fcdf5aa6e288321b734c42c3c57179da3fb439077398282def
                                                                              • Instruction ID: 061cd232f3236ea8aa9d1be5d6e88d15b117e94232a8cb9589ebe07a9024ca8b
                                                                              • Opcode Fuzzy Hash: 25db79955295e6fcdf5aa6e288321b734c42c3c57179da3fb439077398282def
                                                                              • Instruction Fuzzy Hash: 2451A530A007049BCB11DB65D991BDEB7F9EF49304F5084BAE841A7391E778AE05CB59
                                                                              Function 0047CB30 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95libraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1944 47cb30-47cb86 call 42c40c call 4035c0 call 47c7a8 call 4525c4 1953 47cb92-47cba1 call 4525c4 1944->1953 1954 47cb88-47cb8d call 453330 1944->1954 1958 47cba3-47cba9 1953->1958 1959 47cbbb-47cbc1 1953->1959 1954->1953 1960 47cbcb-47cbd3 call 403494 1958->1960 1961 47cbab-47cbb1 1958->1961 1962 47cbc3-47cbc9 1959->1962 1963 47cbd8-47cc00 call 42e3a4 * 2 1959->1963 1960->1963 1961->1959 1965 47cbb3-47cbb9 1961->1965 1962->1960 1962->1963 1970 47cc27-47cc41 GetProcAddress 1963->1970 1971 47cc02-47cc22 call 4078fc call 453330 1963->1971 1965->1959 1965->1960 1973 47cc43-47cc48 call 453330 1970->1973 1974 47cc4d-47cc6a call 403400 * 2 1970->1974 1971->1970 1973->1974
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(6FFF0000,SHGetFolderPathA), ref: 0047CC32
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc
                                                                              • String ID: -rI$Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                              • API String ID: 190572456-1821436788
                                                                              • Opcode ID: 6ffe9b8d239fe87f34ca3bad4a2ef70314c6aab1a19caa776437c1588b9a665e
                                                                              • Instruction ID: 6634b889f1a60bd4549a24dd6789ad2f54a0d6468ac2a8038bb9781f42ef23c6
                                                                              • Opcode Fuzzy Hash: 6ffe9b8d239fe87f34ca3bad4a2ef70314c6aab1a19caa776437c1588b9a665e
                                                                              • Instruction Fuzzy Hash: 8531E970A00109DFCF11EFA9D9D29EEB7B5EB44304B60847BE808E7241D738AE458B6D
                                                                              Function 00406334 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1982 406334-40634e GetModuleHandleA GetProcAddress 1983 406350 1982->1983 1984 406357-406364 GetProcAddress 1982->1984 1983->1984 1985 406366 1984->1985 1986 40636d-40637a GetProcAddress 1984->1986 1985->1986 1987 406380-406381 1986->1987 1988 40637c-40637e SetProcessDEPPolicy 1986->1988 1988->1987
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498590), ref: 0040633A
                                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
                                                                              • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
                                                                              • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
                                                                              • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498590), ref: 0040637E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModulePolicyProcess
                                                                              • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                              • API String ID: 3256987805-3653653586
                                                                              • Opcode ID: 44a467ebc0bbd25a117d5635929f8822d44e7a6198a0967341d1dbca25e1581a
                                                                              • Instruction ID: d0a9e1fb4642b92a4408cab99680119fc9d423cfedcded744397bec81fc197df
                                                                              • Opcode Fuzzy Hash: 44a467ebc0bbd25a117d5635929f8822d44e7a6198a0967341d1dbca25e1581a
                                                                              • Instruction Fuzzy Hash: C6E026A1380701ACEA1436F20D82F7B10488B40B64B2A14373D5AB91C3D9BDD92459BD
                                                                              Function 00423884 Relevance: 15.1, APIs: 10, Instructions: 98windowregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2618 423884-42388e 2619 4239b7-4239bb 2618->2619 2620 423894-4238b6 call 41f3d4 GetClassInfoA 2618->2620 2623 4238e7-4238f0 GetSystemMetrics 2620->2623 2624 4238b8-4238cf RegisterClassA 2620->2624 2626 4238f2 2623->2626 2627 4238f5-4238ff GetSystemMetrics 2623->2627 2624->2623 2625 4238d1-4238e2 call 408cc4 call 40311c 2624->2625 2625->2623 2626->2627 2628 423901 2627->2628 2629 423904-423960 call 403738 call 406300 call 403400 call 42365c SetWindowLongA 2627->2629 2628->2629 2641 423962-423975 call 424188 SendMessageA 2629->2641 2642 42397a-4239a8 GetSystemMenu DeleteMenu * 2 2629->2642 2641->2642 2642->2619 2644 4239aa-4239b2 DeleteMenu 2642->2644 2644->2619
                                                                              APIs
                                                                                • Part of subcall function 0041F3D4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                              • GetClassInfoA.USER32(00400000,0042368C), ref: 004238AF
                                                                              • RegisterClassA.USER32(00499630), ref: 004238C7
                                                                              • GetSystemMetrics.USER32(00000000), ref: 004238E9
                                                                              • GetSystemMetrics.USER32(00000001), ref: 004238F8
                                                                              • SetWindowLongA.USER32(00410660,000000FC,0042369C), ref: 00423954
                                                                              • SendMessageA.USER32(00410660,00000080,00000001,00000000), ref: 00423975
                                                                              • GetSystemMenu.USER32(00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 00423980
                                                                              • DeleteMenu.USER32(00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 0042398F
                                                                              • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042399C
                                                                              • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239B2
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                              • String ID:
                                                                              • API String ID: 183575631-0
                                                                              • Opcode ID: f8f7b9d3de02a5f634ff8a39374b78efb95d56f414cac3a76e6abeb800e2fe0e
                                                                              • Instruction ID: c8b20579a229f032ee7a03b4d787949f367ffe63dd75f0d430c9c3a529dbdbac
                                                                              • Opcode Fuzzy Hash: f8f7b9d3de02a5f634ff8a39374b78efb95d56f414cac3a76e6abeb800e2fe0e
                                                                              • Instruction Fuzzy Hash: 813172B17402006AEB10AF65AC82F6B36989B14308F10017BFA40AE2D3C6BDDD40876D
                                                                              Function 004674EC Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 141windowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2646 4674ec-467596 call 41462c call 41464c call 41462c call 41464c SHGetFileInfo 2655 4675cb-4675d6 call 478d20 2646->2655 2656 467598-46759f 2646->2656 2661 467627-46763a call 47cff4 2655->2661 2662 4675d8-46761d call 42c40c call 40357c call 403738 ExtractIconA call 46742c 2655->2662 2656->2655 2658 4675a1-4675c6 ExtractIconA call 46742c 2656->2658 2658->2655 2668 46763c-467646 call 47cff4 2661->2668 2669 46764b-46764f 2661->2669 2684 467622 2662->2684 2668->2669 2671 467651-467674 call 403738 SHGetFileInfo 2669->2671 2672 4676a9-4676dd call 403400 * 2 2669->2672 2671->2672 2680 467676-46767d 2671->2680 2680->2672 2683 46767f-4676a4 ExtractIconA call 46742c 2680->2683 2683->2672 2684->2672
                                                                              APIs
                                                                              • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046758F
                                                                              • ExtractIconA.SHELL32(00400000,00000000,?), ref: 004675B5
                                                                                • Part of subcall function 0046742C: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 004674C4
                                                                                • Part of subcall function 0046742C: DestroyCursor.USER32(00000000), ref: 004674DA
                                                                              • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 0046760C
                                                                              • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 0046766D
                                                                              • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467693
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                              • String ID: c:\directory$k H$shell32.dll
                                                                              • API String ID: 3376378930-433663191
                                                                              • Opcode ID: 29e72a9552dfdc2cbc6caa590d21046d5f8b548d470bab6826c497dca36ee432
                                                                              • Instruction ID: 265839c963417482dd86c951db209f81288bb0a388fd09f062db7983cc26d63d
                                                                              • Opcode Fuzzy Hash: 29e72a9552dfdc2cbc6caa590d21046d5f8b548d470bab6826c497dca36ee432
                                                                              • Instruction Fuzzy Hash: B2516070604604AFDB10EF69CD89FDFB7E8EB48318F1081A6F9049B391D6399E81CA59
                                                                              Function 0042F570 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2688 42f570-42f57a 2689 42f584-42f5c1 call 402b30 GetActiveWindow GetFocus call 41eeb4 2688->2689 2690 42f57c-42f57f call 402d30 2688->2690 2696 42f5d3-42f5db 2689->2696 2697 42f5c3-42f5cd RegisterClassA 2689->2697 2690->2689 2698 42f662-42f67e SetFocus call 403400 2696->2698 2699 42f5e1-42f612 CreateWindowExA 2696->2699 2697->2696 2699->2698 2701 42f614-42f658 call 42428c call 403738 CreateWindowExA 2699->2701 2701->2698 2707 42f65a-42f65d ShowWindow 2701->2707 2707->2698
                                                                              APIs
                                                                              • GetActiveWindow.USER32 ref: 0042F59F
                                                                              • GetFocus.USER32 ref: 0042F5A7
                                                                              • RegisterClassA.USER32(004997AC), ref: 0042F5C8
                                                                              • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F69C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F606
                                                                              • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F64C
                                                                              • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F65D
                                                                              • SetFocus.USER32(00000000,00000000,0042F67F,?,?,?,00000001,00000000,?,00458696,00000000,0049B628), ref: 0042F664
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                              • String ID: TWindowDisabler-Window
                                                                              • API String ID: 3167913817-1824977358
                                                                              • Opcode ID: b2433ce4ffe1b1f942b14f487daced2f86516ced4add7bc415a00a8a37101852
                                                                              • Instruction ID: 092f1afd63313efa57bcf667ad1f00c9caddf595d34af2871f870ebe591ae418
                                                                              • Opcode Fuzzy Hash: b2433ce4ffe1b1f942b14f487daced2f86516ced4add7bc415a00a8a37101852
                                                                              • Instruction Fuzzy Hash: 20219F70740710BAE710EF62AD03F1A76A8EB04B04FA1413AF504AB2D1D7B96D5586ED
                                                                              Function 004531DC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 004531FC
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453202
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 00453216
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045321C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                              • API String ID: 1646373207-2130885113
                                                                              • Opcode ID: c24ac2f37dcd2c5f05e81832aa1b687e7eaf3d26bd242744e205e68ddaa02280
                                                                              • Instruction ID: 5e931287d6eebe3694b70f0ad3549e6df422da746536320e83a51589c54bb73f
                                                                              • Opcode Fuzzy Hash: c24ac2f37dcd2c5f05e81832aa1b687e7eaf3d26bd242744e205e68ddaa02280
                                                                              • Instruction Fuzzy Hash: 5B017570240B45AFD711AF73AD02F167658E705B57F6044BBFC0096286D77C8A088EAD
                                                                              Function 0047C800 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 108COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047C973,?,?,00000000,0049B628,00000000,00000000,?,00497F09,00000000,004980B2,?,00000000), ref: 0047C893
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,0047C973,?,?,00000000,0049B628,00000000,00000000,?,00497F09,00000000,004980B2,?,00000000), ref: 0047C89C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup
                                                                              • API String ID: 1375471231-1421604804
                                                                              • Opcode ID: 20565183d399805a0260eecee190a14380a82a44589236b9bd3091d604848e13
                                                                              • Instruction ID: 2e7cf1fa8793a22cdcb7cccf6aa375e82942df810c5d1ff78a46bc34c798803d
                                                                              • Opcode Fuzzy Hash: 20565183d399805a0260eecee190a14380a82a44589236b9bd3091d604848e13
                                                                              • Instruction Fuzzy Hash: 65411474A001099BDB00EFA5D8C2ADEB7B9EB44309F50857BE91477392DB389E058B69
                                                                              Function 00430950 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430958
                                                                              • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430967
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00430981
                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 004309A2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                              • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                              • API String ID: 4130936913-2943970505
                                                                              • Opcode ID: 78856a4ce41e30232f7250bb6d0de12fd7185dbc6f50e75004d9522d85a73123
                                                                              • Instruction ID: fe08fc0df2a0eca0a869f0df0621173a2940aa0bc2523ddfe777e35bb070d714
                                                                              • Opcode Fuzzy Hash: 78856a4ce41e30232f7250bb6d0de12fd7185dbc6f50e75004d9522d85a73123
                                                                              • Instruction Fuzzy Hash: 30F082B0958340CEE300EB25994271A7BE0EF58318F00467FF498A63E2D7399900CB5F
                                                                              Function 004723E4 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 263fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,004725B5,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951), ref: 00472591
                                                                              • FindClose.KERNEL32(000000FF,004725BC,004725B5,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951,?), ref: 004725AF
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,004726D7,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951), ref: 004726B3
                                                                              • FindClose.KERNEL32(000000FF,004726DE,004726D7,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951,?), ref: 004726D1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileNext
                                                                              • String ID: "*G$"*G
                                                                              • API String ID: 2066263336-450946878
                                                                              • Opcode ID: 731f9d001d9b8b0b4781793d64753bce726ea54262d8f8a63928cd792b5168e5
                                                                              • Instruction ID: 3872decae14ce2498a692a517acaa1cf84d86a609609514027ee2c14d85ef847
                                                                              • Opcode Fuzzy Hash: 731f9d001d9b8b0b4781793d64753bce726ea54262d8f8a63928cd792b5168e5
                                                                              • Instruction Fuzzy Hash: 6CB13E7490424DAFCF11DFA5C981ADEBBB9FF49304F5081AAE808B3251D7789A46CF58
                                                                              Function 00454FFC Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,00455218,00455218,00000031,00455218,00000000), ref: 004551A6
                                                                              • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,00455218,00455218,00000031,00455218), ref: 004551B3
                                                                                • Part of subcall function 00454F68: WaitForInputIdle.USER32(00000001,00000032), ref: 00454F94
                                                                                • Part of subcall function 00454F68: MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00454FB6
                                                                                • Part of subcall function 00454F68: GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00454FC5
                                                                                • Part of subcall function 00454F68: CloseHandle.KERNEL32(00000001,00454FF2,00454FEB,?,00000031,00000080,00000000,?,?,0045534B,00000080,0000003C,00000000,00455361), ref: 00454FE5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                              • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                              • API String ID: 854858120-615399546
                                                                              • Opcode ID: 2fd3dae9d75497d44160d5c5904f03d0a65dfeb3736f9e9635dbb4a286748838
                                                                              • Instruction ID: 314af404618b4f06b129018ed763823481dfe4f790e250d6c958622b2bfe97d6
                                                                              • Opcode Fuzzy Hash: 2fd3dae9d75497d44160d5c5904f03d0a65dfeb3736f9e9635dbb4a286748838
                                                                              • Instruction Fuzzy Hash: 12515A30A0074DABDB11EF95C892BEEBBB9AF44705F50407BB804B7282D7785A49CB59
                                                                              Function 0042369C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                              • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                              • OemToCharA.USER32(?,?), ref: 0042376C
                                                                              • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Char$FileIconLoadLowerModuleName
                                                                              • String ID: 2$MAINICON
                                                                              • API String ID: 3935243913-3181700818
                                                                              • Opcode ID: 751299a27fb29773dc730031d78ffe09a982dc500c90bea8db2431fb333e9452
                                                                              • Instruction ID: fd9f9c5161a85cdd37c149357dc6ae372d2e201a3957992c444bec056041847b
                                                                              • Opcode Fuzzy Hash: 751299a27fb29773dc730031d78ffe09a982dc500c90bea8db2431fb333e9452
                                                                              • Instruction Fuzzy Hash: 89319270A042549ADF14EF2998857C67BE8AF14308F4441BAE844DB393D7BED988CB99
                                                                              Function 00418F48 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F4D
                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F6E
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00418F89
                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00418FAA
                                                                                • Part of subcall function 004230D8: 73E9A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
                                                                                • Part of subcall function 004230D8: EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                                • Part of subcall function 004230D8: 73EA4620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
                                                                                • Part of subcall function 004230D8: 73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154
                                                                                • Part of subcall function 0042369C: LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                                • Part of subcall function 0042369C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                                • Part of subcall function 0042369C: OemToCharA.USER32(?,?), ref: 0042376C
                                                                                • Part of subcall function 0042369C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                                • Part of subcall function 0041F128: GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                                • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                                • Part of subcall function 0041F128: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                                • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A4620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                                                              • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                              • API String ID: 1580766901-2767913252
                                                                              • Opcode ID: cfc1acdfd4e85ff2d131a9f4d40f785a7290ab9aa4a67b06bd919a79267a8431
                                                                              • Instruction ID: 147b0fd3ac44816fa50e213e98ef70cab9cb63b371fef283777c7ccc396f8742
                                                                              • Opcode Fuzzy Hash: cfc1acdfd4e85ff2d131a9f4d40f785a7290ab9aa4a67b06bd919a79267a8431
                                                                              • Instruction Fuzzy Hash: BB112EB06142409AC740FF76A94265A7BE1DB64318F40843FF448EB2D1DB7D99448B5F
                                                                              Function 0041364C Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowLongA.USER32(?,000000FC,?), ref: 00413674
                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0041367F
                                                                              • GetWindowLongA.USER32(?,000000F4), ref: 00413691
                                                                              • SetWindowLongA.USER32(?,000000F4,?), ref: 004136A4
                                                                              • SetPropA.USER32(?,00000000,00000000), ref: 004136BB
                                                                              • SetPropA.USER32(?,00000000,00000000), ref: 004136D2
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: LongWindow$Prop
                                                                              • String ID:
                                                                              • API String ID: 3887896539-0
                                                                              • Opcode ID: 45c1895276da90ba0030b8fba909c80b6c0b360e03c75fbe878fc1f19dddecee
                                                                              • Instruction ID: 955d73ee8c9e489f8eb805393a0cdbf9fe7b6d9765079e051d97cf620cdedb95
                                                                              • Opcode Fuzzy Hash: 45c1895276da90ba0030b8fba909c80b6c0b360e03c75fbe878fc1f19dddecee
                                                                              • Instruction Fuzzy Hash: D811C975500248BFDB00DF9DDC84EDA3BE8EB19364F144666B918DB2A1D738DD908BA8
                                                                              Function 004556C4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045585B,?,00000000,0045589B), ref: 004557A1
                                                                              Strings
                                                                              • PendingFileRenameOperations, xrefs: 00455740
                                                                              • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455724
                                                                              • PendingFileRenameOperations2, xrefs: 00455770
                                                                              • WININIT.INI, xrefs: 004557D0
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                              • API String ID: 47109696-2199428270
                                                                              • Opcode ID: e596244eac119ca3746a9610a602a7bde82fbf058035d963e90b8d4b6900848c
                                                                              • Instruction ID: 5ff55985f0d79b0cf99ef6a0ef0ae12f56fe6c83aec1de8438bfb9543cdeefde
                                                                              • Opcode Fuzzy Hash: e596244eac119ca3746a9610a602a7bde82fbf058035d963e90b8d4b6900848c
                                                                              • Instruction Fuzzy Hash: BB519670E006089FDB10FF61DC51AEEB7B9EF45305F50857BE804A7292DB7CAA49CA58
                                                                              Function 00423A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                              • GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                              • SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnumLongWindows
                                                                              • String ID: lAB
                                                                              • API String ID: 4191631535-3476862382
                                                                              • Opcode ID: 5f05c18b5ef50282e2e62587cef3ede3e0bfa46b8e8bdba155623c697b582535
                                                                              • Instruction ID: 20c146af1fa2ebf8fe73d6cd857ce812a249192cdefe4c29475ac4fba41381ea
                                                                              • Opcode Fuzzy Hash: 5f05c18b5ef50282e2e62587cef3ede3e0bfa46b8e8bdba155623c697b582535
                                                                              • Instruction Fuzzy Hash: 4E115E70700610ABDB109F28DD85F6A77E8EB04725F50026AF9A49B2E7C378ED40CB59
                                                                              Function 0042DE54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE60
                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFFB,00000000,0042E013,?,?,?,?,00000006,?,00000000,0049722D), ref: 0042DE7B
                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE81
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressDeleteHandleModuleProc
                                                                              • String ID: RegDeleteKeyExA$advapi32.dll
                                                                              • API String ID: 588496660-1846899949
                                                                              • Opcode ID: 1efadd4f9f0c0ea65d6d931b2dfdd832bea74e7cc2ac9dff72f3f3dd5b00937e
                                                                              • Instruction ID: 51feda2b41882886fdb541a0ee71ee95ad591444612597d61ea777cd3c773b46
                                                                              • Opcode Fuzzy Hash: 1efadd4f9f0c0ea65d6d931b2dfdd832bea74e7cc2ac9dff72f3f3dd5b00937e
                                                                              • Instruction Fuzzy Hash: 3EE06DB1B41B30AAD72032A57C8AB932629DB75326F658537F005AE1D183FC2C50CE9D
                                                                              Function 0046BE48 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 276COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              • NextButtonClick, xrefs: 0046BF84
                                                                              • PrepareToInstall failed: %s, xrefs: 0046C14B
                                                                              • Need to restart Windows? %s, xrefs: 0046C172
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                              • API String ID: 0-2329492092
                                                                              • Opcode ID: 221dd23b7cfc17f66ca7de120067e16c15a7d044e53f2a8722f04dc11adac0dc
                                                                              • Instruction ID: 1202268df95ceb0eead913a0caf14b6b564ec17a2e6689a58d7256d675820d07
                                                                              • Opcode Fuzzy Hash: 221dd23b7cfc17f66ca7de120067e16c15a7d044e53f2a8722f04dc11adac0dc
                                                                              • Instruction Fuzzy Hash: 64C16D34A04208DFCB00DB98C9D5AEE77B5EF05304F1444B7E840AB362D778AE41DBAA
                                                                              Function 00482B0C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 224COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetActiveWindow.USER32(?,?,00000000,00482E54), ref: 00482C30
                                                                              • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00482CC5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ActiveChangeNotifyWindow
                                                                              • String ID: $Need to restart Windows? %s
                                                                              • API String ID: 1160245247-4200181552
                                                                              • Opcode ID: 42b6435f46a46e58fbbfcf74279f1aaa99ef9f12c59d4801a02600e2121285e9
                                                                              • Instruction ID: 8ca071c16d970d9f92bb59f1fa37784b4b8a51c549d6f2244aaf7164950ab745
                                                                              • Opcode Fuzzy Hash: 42b6435f46a46e58fbbfcf74279f1aaa99ef9f12c59d4801a02600e2121285e9
                                                                              • Instruction Fuzzy Hash: 2191B4346042458FDB10EB69D9C5BAD77F4AF59308F0084BBE8009B3A2CBB8AD05CB5D
                                                                              Function 0046FD84 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838
                                                                              • GetLastError.KERNEL32(00000000,0046FF81,?,?,0049C1D0,00000000), ref: 0046FE5E
                                                                              • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FED8
                                                                              • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FEFD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                              • String ID: Creating directory: %s
                                                                              • API String ID: 2451617938-483064649
                                                                              • Opcode ID: 1f02ae1e850569658feceaaf3c85ff1782ed1f35d471b3de261e4d8f3d8ed172
                                                                              • Instruction ID: bdf8a9d00633064e3922ce557b3b2562df44373322d6b4000fae74d311730630
                                                                              • Opcode Fuzzy Hash: 1f02ae1e850569658feceaaf3c85ff1782ed1f35d471b3de261e4d8f3d8ed172
                                                                              • Instruction Fuzzy Hash: AE513F74A00248ABDB04DFA5D582BDEB7F5AF09304F50817BE850B7382D7786E08CB69
                                                                              Function 00454DC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E6E
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F34), ref: 00454ED8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressByteCharMultiProcWide
                                                                              • String ID: SfcIsFileProtected$sfc.dll
                                                                              • API String ID: 2508298434-591603554
                                                                              • Opcode ID: 6a91046d7309a4de6cfc4beec76e0de6ac9bbff88298f3f0baf31012854e5b94
                                                                              • Instruction ID: 1a17c74f1ac94ad93f17d87dc1e08c5ddb540f3824a5df31749c88666692504e
                                                                              • Opcode Fuzzy Hash: 6a91046d7309a4de6cfc4beec76e0de6ac9bbff88298f3f0baf31012854e5b94
                                                                              • Instruction Fuzzy Hash: 6A41A630A042189BEB10DB69DC85B9D77B8AB4430DF5081B7E908A7293D7785F88CF59
                                                                              Function 0044B39C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73E9A570.USER32(00000000,?,00000000,00000000,0044B49D,?,k H,?,?), ref: 0044B411
                                                                              • SelectObject.GDI32(?,00000000), ref: 0044B434
                                                                              • 73E9A480.USER32(00000000,?,0044B474,00000000,0044B46D,?,00000000,?,00000000,00000000,0044B49D,?,k H,?,?), ref: 0044B467
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: A480A570ObjectSelect
                                                                              • String ID: k H
                                                                              • API String ID: 1230475511-1447039187
                                                                              • Opcode ID: d4c138e2771e5465782f1838dde397b15c475f1a6013829dedf10027ea17c150
                                                                              • Instruction ID: b5872ed9d16ca79c431bae9e7544c15e8f802733be01f045b529408bc148fe47
                                                                              • Opcode Fuzzy Hash: d4c138e2771e5465782f1838dde397b15c475f1a6013829dedf10027ea17c150
                                                                              • Instruction Fuzzy Hash: 6D217470A04248AFEB15DFA5C851B9EBBB9EB49304F51807AF504E7282D77CD940CB69
                                                                              Function 0044B0D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B15C,?,k H,?,?), ref: 0044B12E
                                                                              • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B141
                                                                              • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B175
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: DrawText$ByteCharMultiWide
                                                                              • String ID: k H
                                                                              • API String ID: 65125430-1447039187
                                                                              • Opcode ID: 9eee4d412d6110b2587a1d6710a95c773ea7c34e3a7d98a27860af6b4704048a
                                                                              • Instruction ID: 2dd5a1fcad8022b5ecdd36c3e8438632fadfe976456551c737a9f8dd3ea145e1
                                                                              • Opcode Fuzzy Hash: 9eee4d412d6110b2587a1d6710a95c773ea7c34e3a7d98a27860af6b4704048a
                                                                              • Instruction Fuzzy Hash: A3110BB6700604BFE700DB5A9C91D6F77ECD749750F10413BF504D72D0C6389E018668
                                                                              Function 0042ED48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDD5
                                                                                • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                • Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                • Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                              • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDB8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                              • String ID: SHAutoComplete$shlwapi.dll
                                                                              • API String ID: 395431579-1506664499
                                                                              • Opcode ID: 0d90ae9549cb3a794f747e0b3b89476a1a48bf8a1e7f9d56d35495b62d60795c
                                                                              • Instruction ID: a33720f3aac7210c00664dabe11b621525643aa7ae94b1405928deeb439ddd4e
                                                                              • Opcode Fuzzy Hash: 0d90ae9549cb3a794f747e0b3b89476a1a48bf8a1e7f9d56d35495b62d60795c
                                                                              • Instruction Fuzzy Hash: 1611A331B00318BBDB11EB62ED81B8E7BA8DB55704F90407BF400A6691DBB8AE05C65D
                                                                              Function 004559FC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                              • RegCloseKey.ADVAPI32(?,00455A67,?,00000001,00000000), ref: 00455A5A
                                                                              Strings
                                                                              • PendingFileRenameOperations2, xrefs: 00455A3B
                                                                              • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A08
                                                                              • PendingFileRenameOperations, xrefs: 00455A2C
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                              • API String ID: 47109696-2115312317
                                                                              • Opcode ID: a871c7690d9b103e0f7f2022bbb7230101daa82acd14c33f99511ba30d6e5aa6
                                                                              • Instruction ID: a84b10804161a04e9b7828e63518c67389a2277fb2d5ef6d9c2d81c30e1ce2e0
                                                                              • Opcode Fuzzy Hash: a871c7690d9b103e0f7f2022bbb7230101daa82acd14c33f99511ba30d6e5aa6
                                                                              • Instruction Fuzzy Hash: 49F09671714A04BFEB05D665DC72E3A739CD744B15FA1446BF800C6682DA7DBE04951C
                                                                              Function 0047F804 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D,?,?,00000000), ref: 0047F8AA
                                                                              • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D,?,?), ref: 0047F8B7
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0047F9D0,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D), ref: 0047F9AC
                                                                              • FindClose.KERNEL32(000000FF,0047F9D7,0047F9D0,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D,?), ref: 0047F9CA
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileNext
                                                                              • String ID:
                                                                              • API String ID: 2066263336-0
                                                                              • Opcode ID: dd47ce488d5ea13da555b7d1a4745cf9b199e366fd9c8806cfe2b69594f7a430
                                                                              • Instruction ID: d4c1b09f85a1e3ce5f066f5119f691750f955bf6e0a6470712ab8dbd39f482a6
                                                                              • Opcode Fuzzy Hash: dd47ce488d5ea13da555b7d1a4745cf9b199e366fd9c8806cfe2b69594f7a430
                                                                              • Instruction Fuzzy Hash: 80513E71A00648AFCB10EF65CC45ADEB7B8AB88315F1085BAA818E7351D7389F49CF59
                                                                              Function 00421284 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetMenu.USER32(00000000), ref: 00421371
                                                                              • SetMenu.USER32(00000000,00000000), ref: 0042138E
                                                                              • SetMenu.USER32(00000000,00000000), ref: 004213C3
                                                                              • SetMenu.USER32(00000000,00000000), ref: 004213DF
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Menu
                                                                              • String ID:
                                                                              • API String ID: 3711407533-0
                                                                              • Opcode ID: fcb1d01c21a3638414a8535da0e373d0dc57cc6d33ffad44a18b700e1522ce17
                                                                              • Instruction ID: 7918b5ac66a49b7c70f092078a7f06842b1ce09055eaa5e04548cec6233339c2
                                                                              • Opcode Fuzzy Hash: fcb1d01c21a3638414a8535da0e373d0dc57cc6d33ffad44a18b700e1522ce17
                                                                              • Instruction Fuzzy Hash: 7D41A13070025447EB20EA79A9857AB26969F69318F4805BFFC44DF3A3CA7DDC45839D
                                                                              Function 00416B52 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageA.USER32(?,?,?,?), ref: 00416B94
                                                                              • SetTextColor.GDI32(?,00000000), ref: 00416BAE
                                                                              • SetBkColor.GDI32(?,00000000), ref: 00416BC8
                                                                              • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BF0
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Color$CallMessageProcSendTextWindow
                                                                              • String ID:
                                                                              • API String ID: 601730667-0
                                                                              • Opcode ID: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                              • Instruction ID: 7a78515b3e46194db8101330e18da160614de8b80347fcfd5663145ee8fb6c7e
                                                                              • Opcode Fuzzy Hash: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                              • Instruction Fuzzy Hash: 27115EB6600A04AFC710EE6ECC84E8773ECDF48314715883EB59ADB612D638F8418B69
                                                                              Function 004230D8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73E9A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
                                                                              • EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                              • 73EA4620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
                                                                              • 73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: A4620A480A570EnumFonts
                                                                              • String ID:
                                                                              • API String ID: 178811091-0
                                                                              • Opcode ID: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
                                                                              • Instruction ID: 16e9332b6476af0d686f12fa818e5571f82757a24bc5219822a197079b30e1ec
                                                                              • Opcode Fuzzy Hash: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
                                                                              • Instruction Fuzzy Hash: D80192717447106AE710BF7A5C86B9B36649F04719F40427BF804AF2C7D6BE9C05476E
                                                                              Function 0045C5C8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00450918: SetEndOfFile.KERNEL32(?,?,0045C6A6,00000000,0045C831,?,00000000,00000002,00000002), ref: 0045091F
                                                                              • FlushFileBuffers.KERNEL32(?), ref: 0045C7FD
                                                                              Strings
                                                                              • NumRecs range exceeded, xrefs: 0045C6FA
                                                                              • EndOffset range exceeded, xrefs: 0045C731
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: File$BuffersFlush
                                                                              • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                              • API String ID: 3593489403-659731555
                                                                              • Opcode ID: 794c48d8177613dd3f63bd91f05815d926f9d199b7ec90082a892dce85f7227f
                                                                              • Instruction ID: 42c6ccb15965a4bc01c0ab80d29458e35b3cecf9486565f2d0e9c4cbdba5a9bf
                                                                              • Opcode Fuzzy Hash: 794c48d8177613dd3f63bd91f05815d926f9d199b7ec90082a892dce85f7227f
                                                                              • Instruction Fuzzy Hash: A5617134A002988FDB24DF25C891AD9B7B5EF49305F0084DAED89AB352D774AEC9CF54
                                                                              Function 00498578 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498586), ref: 0040334B
                                                                                • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498586), ref: 00403356
                                                                                • Part of subcall function 00406334: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498590), ref: 0040633A
                                                                                • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
                                                                                • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
                                                                                • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
                                                                                • Part of subcall function 00406334: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498590), ref: 0040637E
                                                                                • Part of subcall function 00409B88: 6F9C1CD0.COMCTL32(0049859A), ref: 00409B88
                                                                                • Part of subcall function 00410964: GetCurrentThreadId.KERNEL32 ref: 004109B2
                                                                                • Part of subcall function 00419050: GetVersion.KERNEL32(004985AE), ref: 00419050
                                                                                • Part of subcall function 0044F754: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004985C2), ref: 0044F78F
                                                                                • Part of subcall function 0044F754: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F795
                                                                                • Part of subcall function 0044FBFC: GetVersionExA.KERNEL32(0049B790,004985C7), ref: 0044FC0B
                                                                                • Part of subcall function 004531DC: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 004531FC
                                                                                • Part of subcall function 004531DC: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453202
                                                                                • Part of subcall function 004531DC: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 00453216
                                                                                • Part of subcall function 004531DC: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045321C
                                                                                • Part of subcall function 00456EEC: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456F10
                                                                                • Part of subcall function 00464960: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004985EA), ref: 0046496F
                                                                                • Part of subcall function 00464960: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464975
                                                                                • Part of subcall function 0046D098: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046D0AD
                                                                                • Part of subcall function 00478B3C: GetModuleHandleA.KERNEL32(kernel32.dll,?,004985F4), ref: 00478B42
                                                                                • Part of subcall function 00478B3C: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478B4F
                                                                                • Part of subcall function 00478B3C: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478B5F
                                                                                • Part of subcall function 00495584: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0049559D
                                                                              • SetErrorMode.KERNEL32(00000001,00000000,0049863C), ref: 0049860E
                                                                                • Part of subcall function 00498338: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498618,00000001,00000000,0049863C), ref: 00498342
                                                                                • Part of subcall function 00498338: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498348
                                                                                • Part of subcall function 004244E4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424503
                                                                                • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                              • ShowWindow.USER32(?,00000005,00000000,0049863C), ref: 0049866F
                                                                                • Part of subcall function 00482050: SetActiveWindow.USER32(?), ref: 004820FE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                              • String ID: Setup
                                                                              • API String ID: 504348408-3839654196
                                                                              • Opcode ID: 0b193bc7ab6d0367c14efa4071f6efbf19235d44a4c70119fe87f529ba434d3c
                                                                              • Instruction ID: d131c851e578025af209eb9e9c2d0e6aaf1cfb04eb4cc82699b843ce611002a7
                                                                              • Opcode Fuzzy Hash: 0b193bc7ab6d0367c14efa4071f6efbf19235d44a4c70119fe87f529ba434d3c
                                                                              • Instruction Fuzzy Hash: 5C31D4702046409ED601BBBBED5352E3B98EB8A718B61487FF804D6553CE3D6C148A3E
                                                                              Function 00453A10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453AFF,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A56
                                                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453AFF,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A5F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID: .tmp
                                                                              • API String ID: 1375471231-2986845003
                                                                              • Opcode ID: 3cb25ddd520bb7346a311bd12df13eef30655657fdbd9206c6de24d758997ec8
                                                                              • Instruction ID: fcbeb811eea92760dd82faa40bdacdd366465f8a5342b7af386d3ee3900427bd
                                                                              • Opcode Fuzzy Hash: 3cb25ddd520bb7346a311bd12df13eef30655657fdbd9206c6de24d758997ec8
                                                                              • Instruction Fuzzy Hash: 5A213375A00208ABDB01EFA1C8429DEB7B9EB48305F50457BE801B7342DA789F058AA5
                                                                              Function 0047C310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C596,00000000,0047C5AC,?,?,?,?,00000000), ref: 0047C372
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID: RegisteredOrganization$RegisteredOwner
                                                                              • API String ID: 3535843008-1113070880
                                                                              • Opcode ID: 3cef9cafc9ae7832fbb6eaa2bd4d40f0f71bbb09bcea78efdfdb807f20eb42b3
                                                                              • Instruction ID: cd6b81515cbcb541a42d20c803a6709c30f964b406f28b15d8fe69fce277d2ff
                                                                              • Opcode Fuzzy Hash: 3cef9cafc9ae7832fbb6eaa2bd4d40f0f71bbb09bcea78efdfdb807f20eb42b3
                                                                              • Instruction Fuzzy Hash: 41F09030704204ABEB00D669ECD2BAA33A99746304F60C03FA9088B392D6799E01CB5C
                                                                              Function 004754BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004756F3), ref: 004754E1
                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004756F3), ref: 004754F8
                                                                                • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateErrorFileHandleLast
                                                                              • String ID: CreateFile
                                                                              • API String ID: 2528220319-823142352
                                                                              • Opcode ID: fa36eb7f5e292efbad873286b983b31a245b5f10299435e2a562660d120c4ecb
                                                                              • Instruction ID: 40e201e46ebb19b1d9bf90fbf766f72b309683208074062896c4944ddf319cda
                                                                              • Opcode Fuzzy Hash: fa36eb7f5e292efbad873286b983b31a245b5f10299435e2a562660d120c4ecb
                                                                              • Instruction Fuzzy Hash: CDE065702403447FDA10F769CCC6F4577889B14729F10C155B5446F3D2C5B9EC408628
                                                                              Function 0042DE2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Open
                                                                              • String ID: System\CurrentControlSet\Control\Windows$c6H
                                                                              • API String ID: 71445658-1548894351
                                                                              • Opcode ID: 532c08fc3a5ebe879a42036bede715a90f251433598981f36561c2967c82051c
                                                                              • Instruction ID: b14c86e398362f8621ba381b59967aff518ca924b2daa5b46ce173f8349262a2
                                                                              • Opcode Fuzzy Hash: 532c08fc3a5ebe879a42036bede715a90f251433598981f36561c2967c82051c
                                                                              • Instruction Fuzzy Hash: BFD0C772950128BBDB00DA89DC41DFB775DDB15760F45441BFD049B141C1B4EC5197F8
                                                                              Function 00456EEC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00456E7C: CoInitialize.OLE32(00000000), ref: 00456E82
                                                                                • Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                • Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                              • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456F10
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                              • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                              • API String ID: 2906209438-2320870614
                                                                              • Opcode ID: 22a7af04fdfb7e1cbc8590484576be710a33bf4538556d1874791685a96bf942
                                                                              • Instruction ID: 6d1f0b9ea2f83cf17b9d56af39d37ffc4890966232cc80b75afa5f9be50b51f8
                                                                              • Opcode Fuzzy Hash: 22a7af04fdfb7e1cbc8590484576be710a33bf4538556d1874791685a96bf942
                                                                              • Instruction Fuzzy Hash: 97C04CA1B4169096CB00B7FAA54361F2414DB5075FB96C07FBD40BB687CE7D8848AA2E
                                                                              Function 0046D098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                • Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                              • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046D0AD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressErrorLibraryLoadModeProc
                                                                              • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                              • API String ID: 2492108670-2683653824
                                                                              • Opcode ID: 4bfb7ae62aec4cae49a8b0683f2b36ac3bef8159a448d5ae1ca26c94081968f3
                                                                              • Instruction ID: 608de25eae135e4754017d8cf95b07e3007941af04aa8fd5541e4ba3120ba520
                                                                              • Opcode Fuzzy Hash: 4bfb7ae62aec4cae49a8b0683f2b36ac3bef8159a448d5ae1ca26c94081968f3
                                                                              • Instruction Fuzzy Hash: 69B092E0F056008ACF00A7F6984260A10059B8071DF90807B7440BB395EA3E840AAB6F
                                                                              Function 0044853C Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448719), ref: 0044865C
                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486DD
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID:
                                                                              • API String ID: 2574300362-0
                                                                              • Opcode ID: 9e6f6b39164a2250cf52a4aeb4930d02d61dfc433358958cd5631fa5a9f36d71
                                                                              • Instruction ID: bcb50df029510264ac3c8269deb9aca16d778d72fab4f9fb4f479d94b6d7f3fe
                                                                              • Opcode Fuzzy Hash: 9e6f6b39164a2250cf52a4aeb4930d02d61dfc433358958cd5631fa5a9f36d71
                                                                              • Instruction Fuzzy Hash: 09514170A00105AFDB40EFA5C491A9EBBF9EB54315F11817EA414BB392DA389E05CB99
                                                                              Function 00481704 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemMenu.USER32(00000000,00000000,00000000,0048183C), ref: 004817D4
                                                                              • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 004817E5
                                                                              • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 004817FD
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Append$System
                                                                              • String ID:
                                                                              • API String ID: 1489644407-0
                                                                              • Opcode ID: 700b5811d02ba2ff172c742152fb081413fabfeab2321fa183ac7a2ab913d185
                                                                              • Instruction ID: b36482c1273671328963914ac1a7ecaae55131090c894365c145815d0470a156
                                                                              • Opcode Fuzzy Hash: 700b5811d02ba2ff172c742152fb081413fabfeab2321fa183ac7a2ab913d185
                                                                              • Instruction Fuzzy Hash: 02318E307043445AD721FB359D82BAE3A989B15318F54593FB900AA3E3CA7C9C4A87AD
                                                                              Function 004524FC Relevance: 4.6, APIs: 3, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 751C1520.VERSION(00000000,?,?,?,004972D0), ref: 0045251C
                                                                              • 751C1500.VERSION(00000000,?,00000000,?,00000000,00452597,?,00000000,?,?,?,004972D0), ref: 00452549
                                                                              • 751C1540.VERSION(?,004525C0,?,?,00000000,?,00000000,?,00000000,00452597,?,00000000,?,?,?,004972D0), ref: 00452563
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: C1500C1520C1540
                                                                              • String ID:
                                                                              • API String ID: 1315064709-0
                                                                              • Opcode ID: 386d1b7d14527d93b72562f1672999fd2f5aa3ff7ed0da5cad2ac492ae89063e
                                                                              • Instruction ID: b47a7e64509d5cca070909842564d4f4e78a1d1ae8fea26b0cdd83eea50adb12
                                                                              • Opcode Fuzzy Hash: 386d1b7d14527d93b72562f1672999fd2f5aa3ff7ed0da5cad2ac492ae89063e
                                                                              • Instruction Fuzzy Hash: 6B218371A00148AFDB01DAA989519AFB7FCEB4A300F55447BFC00E3342E6B99E04CB65
                                                                              Function 0042440C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424422
                                                                              • TranslateMessage.USER32(?), ref: 0042449F
                                                                              • DispatchMessageA.USER32(?), ref: 004244A9
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Message$DispatchPeekTranslate
                                                                              • String ID:
                                                                              • API String ID: 4217535847-0
                                                                              • Opcode ID: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                              • Instruction ID: 520fb342982be2dd3794930026bb259c1cd38a4fe19eb968f01b3c53081bdda3
                                                                              • Opcode Fuzzy Hash: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                              • Instruction Fuzzy Hash: 781191307043205AEE20FA64AD41B9B73D4DFD1708F80481EF9D997382D77D9E49879A
                                                                              Function 00416654 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetPropA.USER32(00000000,00000000), ref: 0041667A
                                                                              • SetPropA.USER32(00000000,00000000), ref: 0041668F
                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166B6
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Prop$Window
                                                                              • String ID:
                                                                              • API String ID: 3363284559-0
                                                                              • Opcode ID: c3da473eafe02ab8e789e0609dcd6af1eaad0cb973784c7fd29191cc4dc7f6ad
                                                                              • Instruction ID: 2262f6f032fbfc8c948eb6af5e1566575da4c35a9ecfa624f63ddadf83d7b404
                                                                              • Opcode Fuzzy Hash: c3da473eafe02ab8e789e0609dcd6af1eaad0cb973784c7fd29191cc4dc7f6ad
                                                                              • Instruction Fuzzy Hash: E3F0B271701210ABD710AB599C85FA632DCAB09719F160176BD09EF286C778DC40C7A8
                                                                              Function 004014E4 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual$AllocFree
                                                                              • String ID: LjN
                                                                              • API String ID: 2087232378-2293711372
                                                                              • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                              • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                              • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                              • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                              Function 0041EE64 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindowVisible.USER32(?), ref: 0041EE74
                                                                              • IsWindowEnabled.USER32(?), ref: 0041EE7E
                                                                              • EnableWindow.USER32(?,00000000), ref: 0041EEA4
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnableEnabledVisible
                                                                              • String ID:
                                                                              • API String ID: 3234591441-0
                                                                              • Opcode ID: 8d68ea6b8e39d06ec6ae2b778d87487b924e250a5b1b44c5d2ba2f9a93d60018
                                                                              • Instruction ID: eab114e884733e02e348d5fb54c1eeaedaab2d2a8f53f62e6f3f1b5b82b3488b
                                                                              • Opcode Fuzzy Hash: 8d68ea6b8e39d06ec6ae2b778d87487b924e250a5b1b44c5d2ba2f9a93d60018
                                                                              • Instruction Fuzzy Hash: 90E0EDB9100300AAE711AB2BEC81A57769CBB94314F45843BAC099B293DA3EDC409B78
                                                                              Function 0046A26C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetActiveWindow.USER32(?), ref: 0046A378
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ActiveWindow
                                                                              • String ID: PrepareToInstall
                                                                              • API String ID: 2558294473-1101760603
                                                                              • Opcode ID: 2f09c314b6fb54b1472f2c84d4998d1c671ccdc982530a6e1a6c91392ff97de1
                                                                              • Instruction ID: 163d609461ff3b9580316b21a780dec1cd9204125e937a74b025edb926540d27
                                                                              • Opcode Fuzzy Hash: 2f09c314b6fb54b1472f2c84d4998d1c671ccdc982530a6e1a6c91392ff97de1
                                                                              • Instruction Fuzzy Hash: 90A10A34A00109DFCB00EB99D985EEEB7F5AF88304F1580B6E404AB362D738AE45DF59
                                                                              Function 0046C764 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: /:*?"<>|
                                                                              • API String ID: 0-4078764451
                                                                              • Opcode ID: daa5e4ec58dfd3a4f8b67407405db92af73f638a584e66193a323fc2660a566c
                                                                              • Instruction ID: b706238f5af82f8a54f925a22e06db4ee79b372672e861a4edd763b161806009
                                                                              • Opcode Fuzzy Hash: daa5e4ec58dfd3a4f8b67407405db92af73f638a584e66193a323fc2660a566c
                                                                              • Instruction Fuzzy Hash: 6F7197B0B44244AADB20E766DCC2BEE77A19F41704F108167F5807B392E7B99D45878E
                                                                              Function 00482050 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetActiveWindow.USER32(?), ref: 004820FE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ActiveWindow
                                                                              • String ID: InitializeWizard
                                                                              • API String ID: 2558294473-2356795471
                                                                              • Opcode ID: 4cb1695e49b1b07e3586b425a713be07569947560fbf0fba233168fdeef3d44e
                                                                              • Instruction ID: b8891c381381d1a0014b65a4ce29d1dfbbdf9d421e77ac889de6892087eb3363
                                                                              • Opcode Fuzzy Hash: 4cb1695e49b1b07e3586b425a713be07569947560fbf0fba233168fdeef3d44e
                                                                              • Instruction Fuzzy Hash: BE118234205204DFD711EBA5FE96B2977E4EB55314F20143BE5008B3A1DA796C50CB6D
                                                                              Function 0047C22C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C472,00000000,0047C5AC), ref: 0047C271
                                                                              Strings
                                                                              • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C241
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                              • API String ID: 47109696-1019749484
                                                                              • Opcode ID: 6e2d5090e95b4c6fabdd9168d7cad944b3593745ae6ad0b3bb6d2af319e0c910
                                                                              • Instruction ID: 70811ca8e083c9a3dbfae153db117623eb743e792d78c4ccda021ebaf15ccddc
                                                                              • Opcode Fuzzy Hash: 6e2d5090e95b4c6fabdd9168d7cad944b3593745ae6ad0b3bb6d2af319e0c910
                                                                              • Instruction Fuzzy Hash: 8EF08931B0411467DA00A5DA5C82B9E56DD8B55758F20407FF508EB253D9B99D02036C
                                                                              Function 0046F0EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,004763FA,?,0049C1D0,?,0046F403,?,00000000,0046F99E,?,_is1), ref: 0046F10F
                                                                              Strings
                                                                              • Inno Setup: Setup Version, xrefs: 0046F10D
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Value
                                                                              • String ID: Inno Setup: Setup Version
                                                                              • API String ID: 3702945584-4166306022
                                                                              • Opcode ID: 734ac0f1c1098741eb0e60cbf617dbc9041c5452899e61f021b18629f5aca0fc
                                                                              • Instruction ID: 253732d940e31991125f8b939195b5ca02eb4333684dc2ddbbcc15e62aa31341
                                                                              • Opcode Fuzzy Hash: 734ac0f1c1098741eb0e60cbf617dbc9041c5452899e61f021b18629f5aca0fc
                                                                              • Instruction Fuzzy Hash: 3BE06D713012047FD710AA6B9C85F5BBADDDF993A5F10403AB908DB392D578DD4081A8
                                                                              Function 0046F15C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F7DA,?,?,00000000,0046F99E,?,_is1,?), ref: 0046F16F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Value
                                                                              • String ID: NoModify
                                                                              • API String ID: 3702945584-1699962838
                                                                              • Opcode ID: 14b653d2795b3180ab09acf432715bdcca8a399851f75d04a8bb0bb30e96b91c
                                                                              • Instruction ID: dfbc78ba79a393f528aadc4bccb3a1e1d52346a2df28baf9fde3d1272b39f611
                                                                              • Opcode Fuzzy Hash: 14b653d2795b3180ab09acf432715bdcca8a399851f75d04a8bb0bb30e96b91c
                                                                              • Instruction Fuzzy Hash: D8E04FB4604304BFEB04DB55DD4AF6B77ECDB48750F10415ABA04DB281E674EE00C668
                                                                              Function 0047DF80 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetACP.KERNEL32(?,?,00000001,00000000,0047E25F,?,-0000001A,004800D8,-00000010,?,00000004,0000001B,00000000,00480425,?,0045DECC), ref: 0047DFF6
                                                                                • Part of subcall function 0042E32C: 73E9A570.USER32(00000000,00000000,0048048C,?,?,00000001,00000000,00000002,00000000,00480D8E,?,?,?,?,?,004986AB), ref: 0042E33B
                                                                                • Part of subcall function 0042E32C: EnumFontsA.GDI32(?,00000000,0042E318,00000000,00000000,0042E384,?,00000000,00000000,0048048C,?,?,00000001,00000000,00000002,00000000), ref: 0042E366
                                                                                • Part of subcall function 0042E32C: 73E9A480.USER32(00000000,?,0042E38B,00000000,00000000,0042E384,?,00000000,00000000,0048048C,?,?,00000001,00000000,00000002,00000000), ref: 0042E37E
                                                                              • SendNotifyMessageA.USER32(000203D2,00000496,00002711,-00000001), ref: 0047E1C6
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: A480A570EnumFontsMessageNotifySend
                                                                              • String ID:
                                                                              • API String ID: 2685184028-0
                                                                              • Opcode ID: d5a98fd350b21412a22cf4123539bd0c298e95acb479fbe192b8033f652af546
                                                                              • Instruction ID: 0ea8e5e95b90053dcc80dc26f94e29a170662e2b3e10ca2db4d961c35622b213
                                                                              • Opcode Fuzzy Hash: d5a98fd350b21412a22cf4123539bd0c298e95acb479fbe192b8033f652af546
                                                                              • Instruction Fuzzy Hash: 2651A6746001508BD710FF27D9C16963799EB88308B90C6BBA8089F367C77CDD068B9D
                                                                              Function 0042DC10 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD48), ref: 0042DC4C
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD48), ref: 0042DCBC
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue
                                                                              • String ID:
                                                                              • API String ID: 3660427363-0
                                                                              • Opcode ID: dcaea444aa2693f3151e4f161b8541bd325653ac2cf38fab622dd52302d9ecee
                                                                              • Instruction ID: 0afc69acb925fd444515a6cbe8b6240f093bd173affdd4b5aabebdcedbe93bcc
                                                                              • Opcode Fuzzy Hash: dcaea444aa2693f3151e4f161b8541bd325653ac2cf38fab622dd52302d9ecee
                                                                              • Instruction Fuzzy Hash: E0414F71E00529ABDB11DF95D881BAFB7B8AB00714F90846AE800F7241D778AE00CBA9
                                                                              Function 0042DED0 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFE6,?,?,00000008,00000000,00000000,0042E013), ref: 0042DF7C
                                                                              • RegCloseKey.ADVAPI32(?,0042DFED,?,00000000,00000000,00000000,00000000,00000000,0042DFE6,?,?,00000008,00000000,00000000,0042E013), ref: 0042DFE0
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseEnum
                                                                              • String ID:
                                                                              • API String ID: 2818636725-0
                                                                              • Opcode ID: 18687f4e18b3232f9437fac6e5314fb2332009eed5616211d6a140e10b5cd508
                                                                              • Instruction ID: 2fe76ac110d60e281b9c8dcd8425dafac1d5c60e45ccd2ae84570cbaedcb928d
                                                                              • Opcode Fuzzy Hash: 18687f4e18b3232f9437fac6e5314fb2332009eed5616211d6a140e10b5cd508
                                                                              • Instruction Fuzzy Hash: 52319170F04258AEDB11DFA2DD82BAEB7B9EB48304F91407BE501E7281D6785A01CA2D
                                                                              Function 004527D4 Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,?,?,004580B4,00000000,0045809C,?,?,?,00000000,0045284E,?,?,?,00000001), ref: 00452828
                                                                              • GetLastError.KERNEL32(00000000,00000000,?,?,004580B4,00000000,0045809C,?,?,?,00000000,0045284E,?,?,?,00000001), ref: 00452830
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CreateErrorLastProcess
                                                                              • String ID:
                                                                              • API String ID: 2919029540-0
                                                                              • Opcode ID: 256024ef10b7bad05e9cca563efcf05eafb457725b2bcd1ab333216967b323f1
                                                                              • Instruction ID: 3ad6dec6d32dc5e6ab031f6e5884ad9a987dc2d9ff381773f4694f698bcb58b9
                                                                              • Opcode Fuzzy Hash: 256024ef10b7bad05e9cca563efcf05eafb457725b2bcd1ab333216967b323f1
                                                                              • Instruction Fuzzy Hash: D3117972600208AF8B00DEADDD41DABB7ECEB4E310B10456BFD08E3201D678AE148BA4
                                                                              Function 0040AFD8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AFF2
                                                                              • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B14F,00000000,0040B167,?,?,?,00000000), ref: 0040B003
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindFree
                                                                              • String ID:
                                                                              • API String ID: 4097029671-0
                                                                              • Opcode ID: 020963cbed5d1efe29b5c6b0b84e3d8c20ff6c1b4cf1f3711bef16ed23147c41
                                                                              • Instruction ID: 22447e907da962d806d3eb032de74b702d5affa043e15eb070a4a3d902aeafed
                                                                              • Opcode Fuzzy Hash: 020963cbed5d1efe29b5c6b0b84e3d8c20ff6c1b4cf1f3711bef16ed23147c41
                                                                              • Instruction Fuzzy Hash: 0001DF71300604AFD710FF69DC92E1B77A9DB8A718711807AF500AB7D0DA79AC0096AD
                                                                              Function 0041EEB4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                              • 73EA5940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042EEC0,?,00000001), ref: 0041EF09
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: A5940CurrentThread
                                                                              • String ID:
                                                                              • API String ID: 2589350566-0
                                                                              • Opcode ID: 4f622a916fb84fb1e9f1f3e222a7611e51385d213cb7cd19795c9b5a33aefee2
                                                                              • Instruction ID: 3b2ca51acea6f31c20bceb620234c512699c69eae89bb1383ecfa3b3ac64bed2
                                                                              • Opcode Fuzzy Hash: 4f622a916fb84fb1e9f1f3e222a7611e51385d213cb7cd19795c9b5a33aefee2
                                                                              • Instruction Fuzzy Hash: FD013976A04604BFDB06CF6BDC1195ABBE9E789720B22887BEC04D36A0E6355810DE18
                                                                              Function 00452C6C Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CAE
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00452CD4), ref: 00452CB6
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLastMove
                                                                              • String ID:
                                                                              • API String ID: 55378915-0
                                                                              • Opcode ID: 4a87794495b209091e638427933314290125c3fb15c22ae1653921e41cb98622
                                                                              • Instruction ID: 8cb4f6990e07c72a34a39c3d349ee9eec810a974928c7dd1f8c60ebce1e721cc
                                                                              • Opcode Fuzzy Hash: 4a87794495b209091e638427933314290125c3fb15c22ae1653921e41cb98622
                                                                              • Instruction Fuzzy Hash: D5014971B00204BB8B11DF799D414AEB7ECEB4A32531045BBFC08E3243EAB84E048558
                                                                              Function 0040170C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,00401973), ref: 00401766
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: FreeVirtual
                                                                              • String ID: LjN
                                                                              • API String ID: 1263568516-2293711372
                                                                              • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                              • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                              • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                              • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                              Function 0045275C Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527BB), ref: 00452795
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,004527BB), ref: 0045279D
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID:
                                                                              • API String ID: 1375471231-0
                                                                              • Opcode ID: 638905229d0ae290751701005a3127306b10a627987a4e9871fe20b3b513e6c4
                                                                              • Instruction ID: 7517b5081c7c6af98826394809c6fe2d976c468da5ddf52a6f68070703836f12
                                                                              • Opcode Fuzzy Hash: 638905229d0ae290751701005a3127306b10a627987a4e9871fe20b3b513e6c4
                                                                              • Instruction Fuzzy Hash: 40F0FC71A04704AFCF00DF759D4199EB7E8DB0E715B5049B7FC14E3242E7B94E1485A8
                                                                              Function 0042324C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadCursorA.USER32(00000000,00007F00), ref: 00423259
                                                                              • LoadCursorA.USER32(00000000,00000000), ref: 00423283
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CursorLoad
                                                                              • String ID:
                                                                              • API String ID: 3238433803-0
                                                                              • Opcode ID: 57390d314a1cb7161e6ddc30cf2ec12f57c29d9a020bc84e90da4252d8f033e1
                                                                              • Instruction ID: c8375b04fab070422f53c3d6524130e38f027298e82d6ab835706982cf041ecc
                                                                              • Opcode Fuzzy Hash: 57390d314a1cb7161e6ddc30cf2ec12f57c29d9a020bc84e90da4252d8f033e1
                                                                              • Instruction Fuzzy Hash: 0FF0A711704114AADA105D7E6CC0E2B7268DB91B36B6103BBFA3AD72D1C62E1D41457D
                                                                              Function 0042E3A4 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                              • LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLibraryLoadMode
                                                                              • String ID:
                                                                              • API String ID: 2987862817-0
                                                                              • Opcode ID: 7795cc8daa252176d65de3d8f3118caac988bfa791d53a68a28aad838e50b78c
                                                                              • Instruction ID: 98bcbcc3e9aaf4c66058534b39987ccdd7eb12bd14468eaf88ad72af9e5505e3
                                                                              • Opcode Fuzzy Hash: 7795cc8daa252176d65de3d8f3118caac988bfa791d53a68a28aad838e50b78c
                                                                              • Instruction Fuzzy Hash: D5F05E70A14744BEDF119F779C6282ABAACE749B1179248B6F810A3691E67D48108928
                                                                              Function 004162DA Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassInfoA.USER32(00400000,?,?), ref: 004162F1
                                                                              • GetClassInfoA.USER32(00000000,?,?), ref: 00416301
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ClassInfo
                                                                              • String ID:
                                                                              • API String ID: 3534257612-0
                                                                              • Opcode ID: 0cefddb0d68ec1ee3d6e09aa9ac37d408dcb608ad702880eba3eeb66fdb88c2a
                                                                              • Instruction ID: dc9e2acc6f173dd0cc3aa24d84b637cb0067f0ccc6b7cec6a0fcec59befe77f5
                                                                              • Opcode Fuzzy Hash: 0cefddb0d68ec1ee3d6e09aa9ac37d408dcb608ad702880eba3eeb66fdb88c2a
                                                                              • Instruction Fuzzy Hash: 22E012B26015155ADB10DB999D81EE326DCDB09310B110167BE14CA246D764DD005BA4
                                                                              Function 004508E4 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,004703F1,?,00000000), ref: 004508FA
                                                                              • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,004703F1,?,00000000), ref: 00450902
                                                                                • Part of subcall function 004506A0: GetLastError.KERNEL32(004504BC,00450762,?,00000000,?,004977FC,00000001,00000000,00000002,00000000,0049795D,?,?,00000005,00000000,00497991), ref: 004506A3
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$FilePointer
                                                                              • String ID:
                                                                              • API String ID: 1156039329-0
                                                                              • Opcode ID: 740b0e3b535324eeb3a184350110131e2b1ae31ce216053ff26069d2cbf9fe72
                                                                              • Instruction ID: a22a311b57bf1dff13f45894218d9c0eaf9de3d8271a2984ee0ce7717fd7efee
                                                                              • Opcode Fuzzy Hash: 740b0e3b535324eeb3a184350110131e2b1ae31ce216053ff26069d2cbf9fe72
                                                                              • Instruction Fuzzy Hash: E0E012B53042059BFB00FA6599C1F3B63DCDB44315F00447AB984CF187D674CC155B29
                                                                              Function 004085E4 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,0040871A), ref: 00408603
                                                                                • Part of subcall function 00406DF4: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E11
                                                                                • Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: DefaultInfoLoadLocaleStringSystem
                                                                              • String ID:
                                                                              • API String ID: 1658689577-0
                                                                              • Opcode ID: 2ab4847006ef9acfce6ccb5f1f64a91e8b74d27154e4f0e7901e4566ca639e1f
                                                                              • Instruction ID: ea6634d2ed8774f5e90a5a6f355d63bed973dafba18e0ec7d48b30ffe24ea089
                                                                              • Opcode Fuzzy Hash: 2ab4847006ef9acfce6ccb5f1f64a91e8b74d27154e4f0e7901e4566ca639e1f
                                                                              • Instruction Fuzzy Hash: C4314375E001199BCF01DF95C8819EEB7B9FF84314F15857BE815AB286E738AE018B98
                                                                              Function 0041FBAC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC49
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: InfoScroll
                                                                              • String ID:
                                                                              • API String ID: 629608716-0
                                                                              • Opcode ID: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                              • Instruction ID: 2c7078d87c5cd90d2d28a279248f0ceb63a34b6d02ec849610dd04de18f9c6e3
                                                                              • Opcode Fuzzy Hash: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                              • Instruction Fuzzy Hash: AA213EB1608745AFD350DF39D4407AABBE4BB48314F04893EA498C3741E778E99ACBD6
                                                                              Function 0046C6F8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                • Part of subcall function 0041EEB4: 73EA5940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042EEC0,?,00000001), ref: 0041EF09
                                                                              • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C756,?,00000000,?,?,0046C968,?,00000000,0046C9DC), ref: 0046C73A
                                                                                • Part of subcall function 0041EF68: IsWindow.USER32(?), ref: 0041EF76
                                                                                • Part of subcall function 0041EF68: EnableWindow.USER32(?,00000001), ref: 0041EF85
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window$A5940CurrentEnablePathPrepareThreadWrite
                                                                              • String ID:
                                                                              • API String ID: 3104224314-0
                                                                              • Opcode ID: 7310e4a240e1736cfb30b9abd7a9c8d32e29debdd45fb2130da0edd2c14fc99c
                                                                              • Instruction ID: 552ca42e7a4f22222615ff1de8f8c20df724e6475abae56b3c63f202feb1ec23
                                                                              • Opcode Fuzzy Hash: 7310e4a240e1736cfb30b9abd7a9c8d32e29debdd45fb2130da0edd2c14fc99c
                                                                              • Instruction Fuzzy Hash: 28F0E270248300FFEB059BB2EDD6B2577E8E319716F91043BF504866D0EA795D40C96E
                                                                              Function 004413A4 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                              • Instruction ID: d0e136ad155d69288fc423feb27b218c22c44688115b59a91c3ffefc647f2292
                                                                              • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                              • Instruction Fuzzy Hash: F0F0FF70509209DBBB1CCF54D0919AF7B71EB59310F20806FE907877A0D6346A80D759
                                                                              Function 00416560 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416595
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                              • Instruction ID: 39ad6e161323637dbb8254467e02d50acedd081d31d6b9d15e1adfc5f54150e8
                                                                              • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                              • Instruction Fuzzy Hash: 6EF02BB2200510AFDB84CF9CD9C0F9373ECEB0C210B0481A6FA08CF24AD220EC108BB0
                                                                              Function 004149C4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149FF
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                              • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                              • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                              • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                              Function 004507B0 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004507F0
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 838f498b19bb2aafec3be0ee987651bf511c4e6d2f63907cf4f88042037e4973
                                                                              • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                              • Opcode Fuzzy Hash: 838f498b19bb2aafec3be0ee987651bf511c4e6d2f63907cf4f88042037e4973
                                                                              • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                              Function 0042CCDC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD24,?,00000001,?,?,00000000,?,0042CD76,00000000,00452A11,00000000,00452A32,?,00000000), ref: 0042CD07
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: a570e9d0cc49cd9ea48ac8d9958fbde071fca7bece3969a5989dcb135d147aed
                                                                              • Instruction ID: bebe06870d533199fa05ec681e6f815a7bc371a3e359dcca221b2f893a48d47d
                                                                              • Opcode Fuzzy Hash: a570e9d0cc49cd9ea48ac8d9958fbde071fca7bece3969a5989dcb135d147aed
                                                                              • Instruction Fuzzy Hash: 0AE06571304308BFD701EB62EC92A5EBBECD749714B914476B400D7592D5B86E008458
                                                                              Function 0042E8D8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045325F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: FormatMessage
                                                                              • String ID:
                                                                              • API String ID: 1306739567-0
                                                                              • Opcode ID: 1d16c149c237ab05d394d1dcd15bc1a2ba242a73302d35381885c392630e106f
                                                                              • Instruction ID: 1e04b5e42f682bd3307758a00633d1e15c64123c11c882a5e2d093d9edca25ee
                                                                              • Opcode Fuzzy Hash: 1d16c149c237ab05d394d1dcd15bc1a2ba242a73302d35381885c392630e106f
                                                                              • Instruction Fuzzy Hash: E7E0D86178432126F23524166C43B7B110E43C0704FD080267A809F3D6D6EE9949425E
                                                                              Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateWindowExA.USER32(00000000,0042368C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00406329
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                              • Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
                                                                              • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                              • Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1
                                                                              Function 0042DDF4 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE20
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID:
                                                                              • API String ID: 2289755597-0
                                                                              • Opcode ID: b59592ccec0b1853c0d50eb209755673f49d30f0d63234ebc8c06611609486a1
                                                                              • Instruction ID: 00bf656f3cc58d957e3fc120c7d975a7f6f089e768df8f95d2ce2a55afbcf34e
                                                                              • Opcode Fuzzy Hash: b59592ccec0b1853c0d50eb209755673f49d30f0d63234ebc8c06611609486a1
                                                                              • Instruction Fuzzy Hash: 69E07EB2600119AF9B40DE8CDC81EEB37ADAB1D350F414016FA08E7200C274EC519BB4
                                                                              Function 00454BE4 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindClose.KERNEL32(00000000,000000FF,00470C14,00000000,00471A10,?,00000000,00471A59,?,00000000,00471B92,?,00000000,?,00000000), ref: 00454BFA
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseFind
                                                                              • String ID:
                                                                              • API String ID: 1863332320-0
                                                                              • Opcode ID: cdb9c2b7633e0d7853738bb459b1a46babdaf032508dd36dba6af5da7df12373
                                                                              • Instruction ID: 3c3cb6916585ff7422749358fc170cdffb6a73b651657da6609ae8be1e4b77d0
                                                                              • Opcode Fuzzy Hash: cdb9c2b7633e0d7853738bb459b1a46babdaf032508dd36dba6af5da7df12373
                                                                              • Instruction Fuzzy Hash: A7E065B0A056004BCB15DF3A858021A76D25FC5325F05C96AAC58CF397D63C84955656
                                                                              Function 0041468C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(004953B6,?,004953D8,?,?,00000000,004953B6,?,?), ref: 004146AB
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                              • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                              • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                              • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                              Function 00406F18 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F2C
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: 5f93265df2524d0dcc0c9b34101366d534c30ce5f0cb0d235cb6b24d2b8f20db
                                                                              • Instruction ID: 1f586823f232578dbf745533d190da316c23ef772c10fc749b20f2ce5ea51255
                                                                              • Opcode Fuzzy Hash: 5f93265df2524d0dcc0c9b34101366d534c30ce5f0cb0d235cb6b24d2b8f20db
                                                                              • Instruction Fuzzy Hash: E0D05B723091117AD620955F6C44DA76BDCCBC5770F11063EB558D72C1D7309C01C675
                                                                              Function 0042365C Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00423608: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042361D
                                                                              • ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                • Part of subcall function 00423638: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423654
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: InfoParametersSystem$ShowWindow
                                                                              • String ID:
                                                                              • API String ID: 3202724764-0
                                                                              • Opcode ID: 6539159081c566a845655d997cb077fb8df4a929aa301bd67fb88950e555413a
                                                                              • Instruction ID: 40ba6511a88705317f68f90b714cf273492cbff5df7e869aa0dea3a735aecdb5
                                                                              • Opcode Fuzzy Hash: 6539159081c566a845655d997cb077fb8df4a929aa301bd67fb88950e555413a
                                                                              • Instruction Fuzzy Hash: 89D05E123831B03106307BB72805ACB86AC8D966AB389047BB5409B302E91E8A0A61AC
                                                                              Function 004242D4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: TextWindow
                                                                              • String ID:
                                                                              • API String ID: 530164218-0
                                                                              • Opcode ID: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
                                                                              • Instruction ID: 772c2b490b6417829154bcce5d0a54014a2db275ddfc333997dbbca6f26d49c5
                                                                              • Opcode Fuzzy Hash: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
                                                                              • Instruction Fuzzy Hash: 7ED05EE27011702BCB01BAED54C4AC667CC9B8825AB1940BBF904EF257C678CE4083A8
                                                                              Function 0042CD34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,004515B7,00000000), ref: 0042CD3F
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: 25b3c26d3c79b78b40e0be7c0404abf70c39e9d787657ef1c43052f1caeba7d8
                                                                              • Instruction ID: 866207c2a99293721dc17515f5e31636ca325c5e587501d47fbe5ff4e718b97c
                                                                              • Opcode Fuzzy Hash: 25b3c26d3c79b78b40e0be7c0404abf70c39e9d787657ef1c43052f1caeba7d8
                                                                              • Instruction Fuzzy Hash: 77C08CE03222001A9A20A6BD2CC950F06CC891437A3A41F77B439E72E2D23DD8162018
                                                                              Function 00466EAC Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467B94,00000000,00000000,00000000,0000000C,00000000), ref: 00466EC4
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                              • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                              • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                              • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                              Function 00406EC8 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A8D4,0040CE80,?,00000000,?), ref: 00406EE5
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 69b9da7e15ce352a50602e67f4a233c0d3270223495d3e32e43592fe9d1f4da4
                                                                              • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                              • Opcode Fuzzy Hash: 69b9da7e15ce352a50602e67f4a233c0d3270223495d3e32e43592fe9d1f4da4
                                                                              • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                              Function 00450918 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetEndOfFile.KERNEL32(?,?,0045C6A6,00000000,0045C831,?,00000000,00000002,00000002), ref: 0045091F
                                                                                • Part of subcall function 004506A0: GetLastError.KERNEL32(004504BC,00450762,?,00000000,?,004977FC,00000001,00000000,00000002,00000000,0049795D,?,?,00000005,00000000,00497991), ref: 004506A3
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLast
                                                                              • String ID:
                                                                              • API String ID: 734332943-0
                                                                              • Opcode ID: 2f3da4ea7652235e9563b7b11f328aef08bde54833d269609cfe7e93d4b3e5df
                                                                              • Instruction ID: d892f33e09ba9bc7304af59ed1bd982b4427bde6cd355302a364b0e8927efaaf
                                                                              • Opcode Fuzzy Hash: 2f3da4ea7652235e9563b7b11f328aef08bde54833d269609cfe7e93d4b3e5df
                                                                              • Instruction Fuzzy Hash: 2DC04CA9300101879F00BAAE95D190663D85E583057504066B944CF207D668D8144A18
                                                                              Function 004072B0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetCurrentDirectoryA.KERNEL32(00000000,?,0049778A,00000000,0049795D,?,?,00000005,00000000,00497991,?,?,00000000), ref: 004072BB
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectory
                                                                              • String ID:
                                                                              • API String ID: 1611563598-0
                                                                              • Opcode ID: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
                                                                              • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                              • Opcode Fuzzy Hash: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
                                                                              • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                              Function 0042E3FF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(?,0042E41D), ref: 0042E410
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: 874db3389c4172aa30432ca027f259e533f636a378579170be3356e0d0ef28c9
                                                                              • Instruction ID: 55140b1eedf56d48a55774d01a07de49d55d18186a895614534630d02c3c9fff
                                                                              • Opcode Fuzzy Hash: 874db3389c4172aa30432ca027f259e533f636a378579170be3356e0d0ef28c9
                                                                              • Instruction Fuzzy Hash: D4B09B7671C6105DFB05D695745152D63D4D7C57203E14577F010D7580D53D58004D18
                                                                              Function 004165FC Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                              • Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
                                                                              • Opcode Fuzzy Hash: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                              • Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58
                                                                              Function 00448738 Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f5c68f552ed74045d4ecaf4ea1ad1c13e781980e3dd0252519992c1da40edc52
                                                                              • Instruction ID: 3a42617683b163d9d3e29dc322e321d1f787465d7b697eb1a78dfeb7447b1e7e
                                                                              • Opcode Fuzzy Hash: f5c68f552ed74045d4ecaf4ea1ad1c13e781980e3dd0252519992c1da40edc52
                                                                              • Instruction Fuzzy Hash: CB518574E042099FEB01EFA9C892AAEBBF5EF49314F50417AE500E7351DB389D45CB98
                                                                              Function 0047DA48 Relevance: 1.4, APIs: 1, Instructions: 150COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0047DC20,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DBDA
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide
                                                                              • String ID:
                                                                              • API String ID: 626452242-0
                                                                              • Opcode ID: 6347e2abfdb9d8760a4239e6b67e4a018abca6dee8a8eb8bc94886bd32a16ad8
                                                                              • Instruction ID: a4a2cf2857c8d8ea8b604d5a3bb359359cf50968c17c86877c7e7666634e0114
                                                                              • Opcode Fuzzy Hash: 6347e2abfdb9d8760a4239e6b67e4a018abca6dee8a8eb8bc94886bd32a16ad8
                                                                              • Instruction Fuzzy Hash: 79519C30A04248AFDB20DF65D8C5BAABBB8EB18304F118077E804A73A1D778AD45CB59
                                                                              Function 0041F3D4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 6d92aa0cb1a2d53983b86e461a62a4ce5a5a47657027c2647c88d78d486bc28e
                                                                              • Instruction ID: 6bd7adec2090487eae29abc1928bf57af59456791c97a49d6ef8c5917aacc84c
                                                                              • Opcode Fuzzy Hash: 6d92aa0cb1a2d53983b86e461a62a4ce5a5a47657027c2647c88d78d486bc28e
                                                                              • Instruction Fuzzy Hash: 0E1148742007069BC710DF19D880B86FBE5EB98390B10C53BE9588B385D374E8558BA9
                                                                              Function 00452FB0 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,00453019), ref: 00452FFB
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID:
                                                                              • API String ID: 1452528299-0
                                                                              • Opcode ID: 0834ab1e0ff74d13c83467379b9d37ae80668f7e4bd4fe23633cfebca466aa95
                                                                              • Instruction ID: 3702fe8876d82bde104835ae14f19b545f9b4323f369928b31ff8c7c86e788f0
                                                                              • Opcode Fuzzy Hash: 0834ab1e0ff74d13c83467379b9d37ae80668f7e4bd4fe23633cfebca466aa95
                                                                              • Instruction Fuzzy Hash: 32014C356043086A8B10CF69AC004AEFBE8DB4D7217108277FC14D3382DA744E0496E4
                                                                              Function 00406F50 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle
                                                                              • String ID:
                                                                              • API String ID: 2962429428-0
                                                                              • Opcode ID: b938081ec37ef3dcaeb0613a6c9f19dce7446eae7aee343fbba8aa446800b67d
                                                                              • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                              • Opcode Fuzzy Hash: b938081ec37ef3dcaeb0613a6c9f19dce7446eae7aee343fbba8aa446800b67d
                                                                              • Instruction Fuzzy Hash:

                                                                              Non-executed Functions

                                                                              Function 0041F128 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                              • SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                              • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                              • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                              • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                              • FreeLibrary.KERNEL32(00000001,?,00419000,00000000,?,?,?,00000001), ref: 0041F27F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                              • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                              • API String ID: 2323315520-3614243559
                                                                              • Opcode ID: 7561659b3b600d63638f3944902fd7923d8484a487a3f9680a3db5d0744bedbe
                                                                              • Instruction ID: d5058fc073e0ad59750b6b6eed82d26134d8568d962b0a84cfd108907e917b52
                                                                              • Opcode Fuzzy Hash: 7561659b3b600d63638f3944902fd7923d8484a487a3f9680a3db5d0744bedbe
                                                                              • Instruction Fuzzy Hash: 8D310DB2640700EBEB01EBB9AC86A663294F728724745093FB508DB192D77C5C49CB1C
                                                                              Function 0045892C Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTickCount.KERNEL32 ref: 00458993
                                                                              • QueryPerformanceCounter.KERNEL32(02113858,00000000,00458C26,?,?,02113858,00000000,?,00459322,?,02113858,00000000), ref: 0045899C
                                                                              • GetSystemTimeAsFileTime.KERNEL32(02113858,02113858), ref: 004589A6
                                                                              • GetCurrentProcessId.KERNEL32(?,02113858,00000000,00458C26,?,?,02113858,00000000,?,00459322,?,02113858,00000000), ref: 004589AF
                                                                              • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458A25
                                                                              • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02113858,02113858), ref: 00458A33
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,00458BE2), ref: 00458A7B
                                                                              • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00458BD1,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,00458BE2), ref: 00458AB4
                                                                                • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458B5D
                                                                              • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00458B93
                                                                              • CloseHandle.KERNEL32(000000FF,00458BD8,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458BCB
                                                                                • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                              • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                              • API String ID: 770386003-3271284199
                                                                              • Opcode ID: b3cb95de96f0a494fe77a0225261b47a74f516519aada3d90b4a318c7d3773ef
                                                                              • Instruction ID: 46381a2ef6f5f7687f8d932114089cfc0a3b3023078b53c1614b04e084b280c9
                                                                              • Opcode Fuzzy Hash: b3cb95de96f0a494fe77a0225261b47a74f516519aada3d90b4a318c7d3773ef
                                                                              • Instruction Fuzzy Hash: 02711370A04348AEDB11DB69CC41B5EBBF8EB15705F1084BAB944FB282DB7859488B69
                                                                              Function 00478420 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0047828C: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02112BE0,?,?,?,02112BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782A5
                                                                                • Part of subcall function 0047828C: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004782AB
                                                                                • Part of subcall function 0047828C: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BE0,?,?,?,02112BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782BE
                                                                                • Part of subcall function 0047828C: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BE0,?,?,?,02112BE0), ref: 004782E8
                                                                                • Part of subcall function 0047828C: CloseHandle.KERNEL32(00000000,?,?,?,02112BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 00478306
                                                                                • Part of subcall function 00478364: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004783F6,?,?,?,02112BE0,?,00478458,00000000,0047856E,?,?,-00000010,?), ref: 00478394
                                                                              • ShellExecuteEx.SHELL32(0000003C), ref: 004784A8
                                                                              • GetLastError.KERNEL32(00000000,0047856E,?,?,-00000010,?), ref: 004784B1
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004784FE
                                                                              • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478522
                                                                              • CloseHandle.KERNEL32(00000000,00478553,00000000,00000000,000000FF,000000FF,00000000,0047854C,?,00000000,0047856E,?,?,-00000010,?), ref: 00478546
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                              • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                              • API String ID: 883996979-221126205
                                                                              • Opcode ID: 7bc79704bed3dd733a1086ace77ac7314c1c869dae30f57a13a5b111f7ab0a8e
                                                                              • Instruction ID: be90243bdd9c3757315ff9bbcfcad83cd6a8df60a98d136a70e83fac94f3d3e4
                                                                              • Opcode Fuzzy Hash: 7bc79704bed3dd733a1086ace77ac7314c1c869dae30f57a13a5b111f7ab0a8e
                                                                              • Instruction Fuzzy Hash: E0314670A40609BEDB11EFAAD845ADEB6B8EF05314F50847FF518E7281DB7C89058B19
                                                                              Function 0042286C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422A04
                                                                              • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BCE), ref: 00422A14
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSendShowWindow
                                                                              • String ID:
                                                                              • API String ID: 1631623395-0
                                                                              • Opcode ID: ba2239a6b7e39db5a6c256e0bd052b844ec1d952261cb85ab3a20d26880a6eee
                                                                              • Instruction ID: ac1ceeab966790095f9612ce7a7db5e594191b89627cdcc61fab65d1acc55ab9
                                                                              • Opcode Fuzzy Hash: ba2239a6b7e39db5a6c256e0bd052b844ec1d952261cb85ab3a20d26880a6eee
                                                                              • Instruction Fuzzy Hash: 79914071B04214BFD711EFA9DA86F9D77F4AB04314F5500BAF504AB3A2CB78AE409B58
                                                                              Function 00418394 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 004183A3
                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 004183C0
                                                                              • GetWindowRect.USER32(?), ref: 004183DC
                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 004183EA
                                                                              • GetWindowLongA.USER32(?,000000F8), ref: 004183FF
                                                                              • ScreenToClient.USER32(00000000), ref: 00418408
                                                                              • ScreenToClient.USER32(00000000,?), ref: 00418413
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                              • String ID: ,
                                                                              • API String ID: 2266315723-3772416878
                                                                              • Opcode ID: 6217f91ca86bc21168c1a31dc77beadf87db026dacfe8a4e2043101b83599555
                                                                              • Instruction ID: f1655e9c1aaa1f9d3e17845697c0dfec8ab0781743990dff6cd0a114faef5a7c
                                                                              • Opcode Fuzzy Hash: 6217f91ca86bc21168c1a31dc77beadf87db026dacfe8a4e2043101b83599555
                                                                              • Instruction Fuzzy Hash: D6112B71505201AFDB00EF69C885F9B77E8AF49314F18067EBD58DB286D738D900CBA9
                                                                              Function 004555D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00000028), ref: 004555DF
                                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555E5
                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004555FE
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455625
                                                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045562A
                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 0045563B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                              • String ID: SeShutdownPrivilege
                                                                              • API String ID: 107509674-3733053543
                                                                              • Opcode ID: 905e5c4f0c040865ada5a790a5680192090f128290145b13f19b3701cccf3d3d
                                                                              • Instruction ID: f0f78ca649e8ddc1473c2e21848b41e7847a09c75f53dffa28e6f5675cd8c776
                                                                              • Opcode Fuzzy Hash: 905e5c4f0c040865ada5a790a5680192090f128290145b13f19b3701cccf3d3d
                                                                              • Instruction Fuzzy Hash: 32F0F670284B42B9E610AA758C13F3B21C89B40B49F80083EBD09EA1C3D7BDC80C4A2F
                                                                              Function 0045D4EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D4F5
                                                                              • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D505
                                                                              • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D515
                                                                              • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F47B,00000000,0047F4A4), ref: 0045D53A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$CryptVersion
                                                                              • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                              • API String ID: 1951258720-508647305
                                                                              • Opcode ID: 6323a5a980eb8feb456ca02504bfb6ad995229d531f09a6584140c28355fd360
                                                                              • Instruction ID: 2c2546d05897d0e560449e180de6b9da44e6f0241588afb6de3da162f6531889
                                                                              • Opcode Fuzzy Hash: 6323a5a980eb8feb456ca02504bfb6ad995229d531f09a6584140c28355fd360
                                                                              • Instruction Fuzzy Hash: 3AF012F0940704EBEB18DFB6BCC67623695ABD531AF14C137A404A51A2E778044CCE1D
                                                                              Function 00497A74 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00497BB2,?,?,00000000,0049B628,?,00497D3C,00000000,00497D90,?,?,00000000,0049B628), ref: 00497ACB
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00497B4E
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00497B8A,?,00000000,?,00000000,00497BB2,?,?,00000000,0049B628,?,00497D3C,00000000), ref: 00497B66
                                                                              • FindClose.KERNEL32(000000FF,00497B91,00497B8A,?,00000000,?,00000000,00497BB2,?,?,00000000,0049B628,?,00497D3C,00000000,00497D90), ref: 00497B84
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: FileFind$AttributesCloseFirstNext
                                                                              • String ID: isRS-$isRS-???.tmp
                                                                              • API String ID: 134685335-3422211394
                                                                              • Opcode ID: ba647548f34564e7f56f6c808fa7faec3af05a969934c2433d5159a38f0bbcda
                                                                              • Instruction ID: b2847bb1a44685988a55541ee7ac685ebeb66ffb5e30493f66813578f7a68db2
                                                                              • Opcode Fuzzy Hash: ba647548f34564e7f56f6c808fa7faec3af05a969934c2433d5159a38f0bbcda
                                                                              • Instruction Fuzzy Hash: A63165719146186FCF10EF65CC41ADEBBBCDB45318F5084F7A808A32A1E638AE458F58
                                                                              Function 004573CC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 238windownativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457449
                                                                              • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457470
                                                                              • SetForegroundWindow.USER32(?), ref: 00457481
                                                                              • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,0045775B,?,00000000,00457797), ref: 00457746
                                                                              Strings
                                                                              • Cannot evaluate variable because [Code] isn't running yet, xrefs: 004575C6
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                              • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                              • API String ID: 2236967946-3182603685
                                                                              • Opcode ID: fe95ac23089f8abddac86e3d9ae11b4981b9e88786854755ce7e63a50dbcddc8
                                                                              • Instruction ID: 5bc10c0d354cae83c82450a0913647aad13fd3ad71d4eb48676ad76960377df7
                                                                              • Opcode Fuzzy Hash: fe95ac23089f8abddac86e3d9ae11b4981b9e88786854755ce7e63a50dbcddc8
                                                                              • Instruction Fuzzy Hash: D9910034608204EFD715CF54E991F5ABBF9EB89305F2180BAED0897792D638AE04DF58
                                                                              Function 00455DF8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F37), ref: 00455E28
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E2E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                              • API String ID: 1646373207-3712701948
                                                                              • Opcode ID: b5f149e20a31f3d313834126475bcf244ddb8ed42aa7b007c000aa6233a22d25
                                                                              • Instruction ID: 12dfdd1b414f9b5fa57bb507e68127e36b1c1a940f154b23c6ee37fdedd7ee09
                                                                              • Opcode Fuzzy Hash: b5f149e20a31f3d313834126475bcf244ddb8ed42aa7b007c000aa6233a22d25
                                                                              • Instruction Fuzzy Hash: 66415171A04649AFCF01EFA5C8929EFB7B8EF49304F508566F800F7252D6785E09CB69
                                                                              Function 00417CE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 00417D1F
                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Placement$Iconic
                                                                              • String ID: ,
                                                                              • API String ID: 568898626-3772416878
                                                                              • Opcode ID: 419626ddcb93f619c016e5eb608395eb97e33a9638738bd346f5ce49c9230b00
                                                                              • Instruction ID: 117db6d3727d0f94901dea8748b8d47281c3d2add8a8e77c7f929e434730b1f7
                                                                              • Opcode Fuzzy Hash: 419626ddcb93f619c016e5eb608395eb97e33a9638738bd346f5ce49c9230b00
                                                                              • Instruction Fuzzy Hash: 41213171604208ABCF40EF69E8C0EEA77B8AF49314F05456AFD18DF246C678DD84CB68
                                                                              Function 00464048 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001,00000000,00464205), ref: 00464079
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,004641D8,?,00000001,00000000,00464205), ref: 00464108
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,004641BA,?,00000000,?,00000000,004641D8,?,00000001,00000000,00464205), ref: 0046419A
                                                                              • FindClose.KERNEL32(000000FF,004641C1,004641BA,?,00000000,?,00000000,004641D8,?,00000001,00000000,00464205), ref: 004641B4
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseErrorFirstModeNext
                                                                              • String ID:
                                                                              • API String ID: 4011626565-0
                                                                              • Opcode ID: ae980c7907389dfafffe65f94222ffd443bde6570b10391f97ae33023227fa5d
                                                                              • Instruction ID: 2652c2d8e8669354d55d474f1d59e7b06630ff05c6329d0403030a32038cf055
                                                                              • Opcode Fuzzy Hash: ae980c7907389dfafffe65f94222ffd443bde6570b10391f97ae33023227fa5d
                                                                              • Instruction Fuzzy Hash: 1E418770A00618AFCF10EF65DC55ADEB7B8EB89705F5044BAF804E7381E67C9E848E59
                                                                              Function 004644C4 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001,00000000,004646AB), ref: 00464539
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00464676,?,00000001,00000000,004646AB), ref: 0046457F
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00464658,?,00000000,?,00000000,00464676,?,00000001,00000000,004646AB), ref: 00464634
                                                                              • FindClose.KERNEL32(000000FF,0046465F,00464658,?,00000000,?,00000000,00464676,?,00000001,00000000,004646AB), ref: 00464652
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseErrorFirstModeNext
                                                                              • String ID:
                                                                              • API String ID: 4011626565-0
                                                                              • Opcode ID: 8a1b155a3f91a4aa9fbf35308e738363c59e35d7d54ec670dc4b6b29b87b573a
                                                                              • Instruction ID: 7635123f594c8b6db569002a9bb01bf8fa96c74c2cf80da52efac59b167f1e7c
                                                                              • Opcode Fuzzy Hash: 8a1b155a3f91a4aa9fbf35308e738363c59e35d7d54ec670dc4b6b29b87b573a
                                                                              • Instruction Fuzzy Hash: D8416171A00A18EBCB10EFA5CC959DEB7B9EB88305F4044AAF804A7351E77C9E448E59
                                                                              Function 0042E944 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E966
                                                                              • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E991
                                                                              • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E99E
                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E9A6
                                                                              • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E9AC
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                              • String ID:
                                                                              • API String ID: 1177325624-0
                                                                              • Opcode ID: db388d08dfb8c48f2ab297580a8778080e815d8e8b0b37ff587e49df53ef3670
                                                                              • Instruction ID: 40e29ed62a0e901db822078ff48c294e58af048427126d47a83bbc7ee0829aa9
                                                                              • Opcode Fuzzy Hash: db388d08dfb8c48f2ab297580a8778080e815d8e8b0b37ff587e49df53ef3670
                                                                              • Instruction Fuzzy Hash: 4BF090B23A17207AF620B57A6C86F7F418CC785B68F10823BBB04FF1C1D9A85D05556D
                                                                              Function 004833BC Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 004833FA
                                                                              • GetWindowLongA.USER32(00000000,000000F0), ref: 00483418
                                                                              • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A4,004828DE,00482912,00000000,00482932,?,?,?,0049C0A4), ref: 0048343A
                                                                              • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A4,004828DE,00482912,00000000,00482932,?,?,?,0049C0A4), ref: 0048344E
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Show$IconicLong
                                                                              • String ID:
                                                                              • API String ID: 2754861897-0
                                                                              • Opcode ID: 26f2524beb83a1697fb2f3c3d4c3f5548a09f48141019de32dcd2365822c4b68
                                                                              • Instruction ID: 9902e76ed030cf172564c6423cfc444f456bf65fce7539c2ce1f68efba32f602
                                                                              • Opcode Fuzzy Hash: 26f2524beb83a1697fb2f3c3d4c3f5548a09f48141019de32dcd2365822c4b68
                                                                              • Instruction Fuzzy Hash: 4D017134A452019EEB11BBA5DD8AB5B27C45F10B09F08083BB9029F2A3CB6D9D41D71C
                                                                              Function 00462ABC Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00462B90), ref: 00462B14
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00462B70,?,00000000,?,00000000,00462B90), ref: 00462B50
                                                                              • FindClose.KERNEL32(000000FF,00462B77,00462B70,?,00000000,?,00000000,00462B90), ref: 00462B6A
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseFirstNext
                                                                              • String ID:
                                                                              • API String ID: 3541575487-0
                                                                              • Opcode ID: f304b7e405ec9403326d096206e821460da1cdcff9736e6297f3d959ba5c8769
                                                                              • Instruction ID: 0f193a6fcf1d943c675bf75123405c31ceeb2ecab595186adb6c93933d2a98b0
                                                                              • Opcode Fuzzy Hash: f304b7e405ec9403326d096206e821460da1cdcff9736e6297f3d959ba5c8769
                                                                              • Instruction Fuzzy Hash: 7121D871904B087EDB11DF65CC51ADEBBACDB49704F5084F7E808E31A1E6BCAE44CA5A
                                                                              Function 004241EC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 004241F4
                                                                              • SetActiveWindow.USER32(?,?,?,0046CFFB), ref: 00424201
                                                                                • Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                • Part of subcall function 00423B24: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021125AC,0042421A,?,?,?,0046CFFB), ref: 00423B5F
                                                                              • SetFocus.USER32(00000000,?,?,?,0046CFFB), ref: 0042422E
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveFocusIconicShow
                                                                              • String ID:
                                                                              • API String ID: 649377781-0
                                                                              • Opcode ID: 362a53b09b72621cbce2071a633a460a23dddc7e90100e91eac1f534d9fc78be
                                                                              • Instruction ID: 85e094fd83fda52d6ba69bb43f194f943737e29f022f28d5c3d7585fd8a6de7d
                                                                              • Opcode Fuzzy Hash: 362a53b09b72621cbce2071a633a460a23dddc7e90100e91eac1f534d9fc78be
                                                                              • Instruction Fuzzy Hash: ECF03A717001208BDB10EFAAA8C4B9662A8EF48344B5500BBBC09DF34BCA7CDC0187A8
                                                                              Function 00417CDE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 00417D1F
                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Placement$Iconic
                                                                              • String ID:
                                                                              • API String ID: 568898626-0
                                                                              • Opcode ID: e9f294a83204c688928c4c422749f875b3ddc518ff0edd6358ab4a317cb2701d
                                                                              • Instruction ID: b3485382f52430a3de90e88073d2477855dbbaeb9eeee9907b508ce44eeb6dab
                                                                              • Opcode Fuzzy Hash: e9f294a83204c688928c4c422749f875b3ddc518ff0edd6358ab4a317cb2701d
                                                                              • Instruction Fuzzy Hash: 02017C31204108ABDB10EE69E8C1EEA73A8AF45324F054567FD08CF242D639ECC087A8
                                                                              Function 004175A8 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CaptureIconic
                                                                              • String ID:
                                                                              • API String ID: 2277910766-0
                                                                              • Opcode ID: 9fb93b599f870259b4000da7575617f39aed9b1e5bccbb5d02bb51a51f71ab84
                                                                              • Instruction ID: edcb67aebd7cb7e0e4c3241a821d6ac110e093164443c601d5aebb18a23c44a8
                                                                              • Opcode Fuzzy Hash: 9fb93b599f870259b4000da7575617f39aed9b1e5bccbb5d02bb51a51f71ab84
                                                                              • Instruction Fuzzy Hash: A2F04F32304A028BDB21A72EC885AEB62F5DF84368B14443FE415CB765EB7CDCD58758
                                                                              Function 004241A4 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 004241AB
                                                                                • Part of subcall function 00423A94: EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                                • Part of subcall function 00423A94: GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                                • Part of subcall function 00423A94: GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                                • Part of subcall function 00423A94: SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                              • SetActiveWindow.USER32(?,?,?,00423D83,00000000,0042416C), ref: 004241BF
                                                                                • Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                              • String ID:
                                                                              • API String ID: 2671590913-0
                                                                              • Opcode ID: dcd3cf20cd52624e3855be4655b1b3d00803fdb590b5af4931fd0619bf418583
                                                                              • Instruction ID: ffd443eaca36288e12b0fd3e34cf0737071334a0f5e631569de285e60205db71
                                                                              • Opcode Fuzzy Hash: dcd3cf20cd52624e3855be4655b1b3d00803fdb590b5af4931fd0619bf418583
                                                                              • Instruction Fuzzy Hash: 02E0E5A470010187EF00EFAAD8C9B9662A9AB48304F55057ABC08CF24BDA78C954C724
                                                                              Function 004125E8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127E5), ref: 004127D3
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: c048b5060f638d2d21f70beb9f23f52c1df829a0825c59c0675cf40435b3c9a3
                                                                              • Instruction ID: 2af12fea25256c3ae9471bae8fd4feed52cec15eb5e351c91de8273fd3ce68b3
                                                                              • Opcode Fuzzy Hash: c048b5060f638d2d21f70beb9f23f52c1df829a0825c59c0675cf40435b3c9a3
                                                                              • Instruction Fuzzy Hash: 055106316082058FD710DB6AD681A9BF3E5FF98304B2482BBD814C7392D7B8EDA1C759
                                                                              Function 004789DC Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478B2A
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: 9f19c8960208bf84e0a1f031f05f2c13e84af91581ae166fbadb947181b78a5a
                                                                              • Instruction ID: 518aae51b6d6b411e39a58dd47dc5b2362a2c83c3bfed1ee6c3543fdde473bb3
                                                                              • Opcode Fuzzy Hash: 9f19c8960208bf84e0a1f031f05f2c13e84af91581ae166fbadb947181b78a5a
                                                                              • Instruction Fuzzy Hash: 04413775644104DFCB10CF99C6898AAB7F5FB48310B74CA9AE848DB705DB38EE41DB54
                                                                              Function 0045D5A0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045D5AB
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CryptFour
                                                                              • String ID:
                                                                              • API String ID: 2153018856-0
                                                                              • Opcode ID: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
                                                                              • Instruction ID: 2e238a974be0c8424367b3c35ccc205e7f0a308c5ec670be841bb4718b7179ff
                                                                              • Opcode Fuzzy Hash: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
                                                                              • Instruction Fuzzy Hash: 37C09BF200420CBF660057D5ECC9C77B75CF6586547508126F6048210195726C104574
                                                                              Function 0045D5B8 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DDBC,?,0046DF9D), ref: 0045D5BE
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CryptFour
                                                                              • String ID:
                                                                              • API String ID: 2153018856-0
                                                                              • Opcode ID: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
                                                                              • Instruction ID: 227689971defb3a768f182aa15824e3680876923b4d994b81e1676941902ce31
                                                                              • Opcode Fuzzy Hash: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
                                                                              • Instruction Fuzzy Hash: 9DA002B0A80300BAFD2057B05D4EF26352CA7D0F05F708465B202EA0D085A56410852C
                                                                              Function 10001130 Relevance: .1, Instructions: 55COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3723859446.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                              • Associated: 00000002.00000002.3723834207.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3723939122.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_10000000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                              • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                              • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                              • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                              Function 10001000 Relevance: .0, Instructions: 2COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3723859446.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                              • Associated: 00000002.00000002.3723834207.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3723939122.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_10000000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                              • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                              • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                              • Instruction Fuzzy Hash:
                                                                              Function 0044B668 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0044B614: GetVersionExA.KERNEL32(00000094), ref: 0044B631
                                                                              • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F785,004985C2), ref: 0044B68F
                                                                              • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B6A7
                                                                              • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6B9
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6CB
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6DD
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6EF
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B701
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B713
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B725
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B737
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B749
                                                                              • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B75B
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B76D
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B77F
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B791
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B7A3
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7B5
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7C7
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7D9
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7EB
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7FD
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B80F
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B821
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B833
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B845
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B857
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B869
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B87B
                                                                              • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B88D
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B89F
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8B1
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8C3
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8D5
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8E7
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8F9
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B90B
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B91D
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B92F
                                                                              • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B941
                                                                              • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B953
                                                                              • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B965
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B977
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B989
                                                                              • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B99B
                                                                              • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B9AD
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9BF
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9D1
                                                                              • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9E3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoadVersion
                                                                              • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                              • API String ID: 1968650500-2910565190
                                                                              • Opcode ID: 0c8e19753f2f8210615bc5a5f26c821a667ede831694cf2c59d6b62027e60e29
                                                                              • Instruction ID: 346aa6b979044c2d6f95573bc57da9b6801dc261a15d858c7a91061cf3dc2738
                                                                              • Opcode Fuzzy Hash: 0c8e19753f2f8210615bc5a5f26c821a667ede831694cf2c59d6b62027e60e29
                                                                              • Instruction Fuzzy Hash: CC91E7B0A40B50EBEF00EBF5ADC6A2637A8EB15B14714467BB444EF295D778D800CF99
                                                                              Function 00458184 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 237filesynchronizationprocessCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateMutexA.KERNEL32(00499B18,00000001,00000000,00000000,004584B9,?,?,?,00000001,?,004586D3,00000000,004586E9,?,00000000,0049B628), ref: 004581D1
                                                                              • CreateFileMappingA.KERNEL32(000000FF,00499B18,00000004,00000000,00002018,00000000), ref: 00458209
                                                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,0045848F,?,00499B18,00000001,00000000,00000000,004584B9,?,?,?), ref: 00458230
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045833D
                                                                              • ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,0045848F,?,00499B18,00000001,00000000,00000000,004584B9), ref: 00458295
                                                                                • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                              • CloseHandle.KERNEL32(004586D3,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458354
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,004586D3,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045838D
                                                                              • GetLastError.KERNEL32(00000000,000000FF,004586D3,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045839F
                                                                              • UnmapViewOfFile.KERNEL32(00000000,00458496,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458471
                                                                              • CloseHandle.KERNEL32(00000000,00458496,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458480
                                                                              • CloseHandle.KERNEL32(00000000,00458496,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458489
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
                                                                              • String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp
                                                                              • API String ID: 4012871263-351310198
                                                                              • Opcode ID: cc7ad6ccf5233eaebe813f6a5333062681ccb791baa3dad4f168156cebafbadf
                                                                              • Instruction ID: 29107a7cf73729034b65a1fcaaf08eab05738b19563c620e852bf3134b102344
                                                                              • Opcode Fuzzy Hash: cc7ad6ccf5233eaebe813f6a5333062681ccb791baa3dad4f168156cebafbadf
                                                                              • Instruction Fuzzy Hash: 46914170A002099BDB10EFA9C845B9EB7B4EB05305F50856FED14FB283DF7899498F69
                                                                              Function 0041CA1C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73E9A570.USER32(00000000,?,0041A954,?), ref: 0041CA50
                                                                              • 73EA4C40.GDI32(?,00000000,?,0041A954,?), ref: 0041CA5C
                                                                              • 73EA6180.GDI32(0041A954,?,00000001,00000001,00000000,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA80
                                                                              • 73EA4C00.GDI32(?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA90
                                                                              • SelectObject.GDI32(0041CE4C,00000000), ref: 0041CAAB
                                                                              • FillRect.USER32(0041CE4C,?,?), ref: 0041CAE6
                                                                              • SetTextColor.GDI32(0041CE4C,00000000), ref: 0041CAFB
                                                                              • SetBkColor.GDI32(0041CE4C,00000000), ref: 0041CB12
                                                                              • PatBlt.GDI32(0041CE4C,00000000,00000000,0041A954,?,00FF0062), ref: 0041CB28
                                                                              • 73EA4C40.GDI32(?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954), ref: 0041CB3B
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041CB6C
                                                                              • 73E98830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954), ref: 0041CB84
                                                                              • 73E922A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?), ref: 0041CB8D
                                                                              • 73E98830.GDI32(0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CB9C
                                                                              • 73E922A0.GDI32(0041CE4C,0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CBA5
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041CBBE
                                                                              • SetBkColor.GDI32(00000000,00000000), ref: 0041CBD5
                                                                              • 73EA4D40.GDI32(0041CE4C,00000000,00000000,0041A954,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CC1A,?,?,00000000), ref: 0041CBF1
                                                                              • SelectObject.GDI32(00000000,?), ref: 0041CBFE
                                                                              • DeleteDC.GDI32(00000000), ref: 0041CC14
                                                                                • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Color$ObjectSelect$E922E98830Text$A570A6180DeleteFillRect
                                                                              • String ID:
                                                                              • API String ID: 1952589944-0
                                                                              • Opcode ID: adf6567a18e9830f1830aa63917bca934ba6755201e08534c76e5c919bac5cde
                                                                              • Instruction ID: 69ed6b4e4825e3c47d53d1ee88e95f0281db4649dcd7e45998b3becab3701dfd
                                                                              • Opcode Fuzzy Hash: adf6567a18e9830f1830aa63917bca934ba6755201e08534c76e5c919bac5cde
                                                                              • Instruction Fuzzy Hash: 6261EC71A44609AFDF10EBE9DC86F9FB7B8EF48704F14446AB504E7281D67CA9408B68
                                                                              Function 00497DA0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShowWindow.USER32(?,00000005,00000000,00498138,?,?,00000000,?,00000000,00000000,?,004984EF,00000000,004984F9,?,00000000), ref: 00497E23
                                                                              • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498138,?,?,00000000,?,00000000,00000000,?,004984EF,00000000), ref: 00497E36
                                                                              • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498138,?,?,00000000,?,00000000,00000000), ref: 00497E46
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00497E67
                                                                              • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498138,?,?,00000000,?,00000000), ref: 00497E77
                                                                                • Part of subcall function 0042D45C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4EA,?,?,?,00000001,?,0045606A,00000000,004560D2), ref: 0042D491
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                              • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                              • API String ID: 2000705611-3672972446
                                                                              • Opcode ID: 082597774f549eda738f03d74d98f9d52f67cfbc56a945ed8bd031ee0c63b3f6
                                                                              • Instruction ID: d71e95358f961f9c8085103628ed7ebfe7aaf39cab9d6a0a027eda6f41515cae
                                                                              • Opcode Fuzzy Hash: 082597774f549eda738f03d74d98f9d52f67cfbc56a945ed8bd031ee0c63b3f6
                                                                              • Instruction Fuzzy Hash: C291B530A042449FDF11EBA9DC52BAE7FA4EF4A304F51447BF500AB292DA7DAC05CB59
                                                                              Function 0045AA3C Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,0045ACF8,?,?,?,?,?,00000006,?,00000000,0049722D,?,00000000,004972D0), ref: 0045ABAA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                              • API String ID: 1452528299-3112430753
                                                                              • Opcode ID: c66920e5c30c99cf277918279cba3cc6becf5feca79c3c8df3d973bfdf2d3f66
                                                                              • Instruction ID: f5e388fb48f96f1c0466849e1c52bdf0d536658550fb6e74c3a20cf80cd44526
                                                                              • Opcode Fuzzy Hash: c66920e5c30c99cf277918279cba3cc6becf5feca79c3c8df3d973bfdf2d3f66
                                                                              • Instruction Fuzzy Hash: 2271AE707002445BDB01EB69D8427AE77A6AF48316F50856BFC01DB383CA7C9A5DC79A
                                                                              Function 0045CF24 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetVersion.KERNEL32 ref: 0045CF3E
                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CF5E
                                                                              • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CF6B
                                                                              • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CF78
                                                                              • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CF86
                                                                                • Part of subcall function 0045CE2C: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CECB,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CEA5
                                                                              • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D179,?,?,00000000), ref: 0045D03F
                                                                              • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D179,?,?,00000000), ref: 0045D048
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                              • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                              • API String ID: 59345061-4263478283
                                                                              • Opcode ID: 0692e2fed8a1faf7364eaae3f9f0a99faa4aa2306d0b5476e4b0968c8b8ae958
                                                                              • Instruction ID: 4ce31bb81caf279f5ed3d10c62bb09a2aad5f6c7ba3f26a8019cd68bbbdcec0a
                                                                              • Opcode Fuzzy Hash: 0692e2fed8a1faf7364eaae3f9f0a99faa4aa2306d0b5476e4b0968c8b8ae958
                                                                              • Instruction Fuzzy Hash: E95193B1D00608EFDB10DFA9C845BAEBBB8EF48315F14806AF915B7381C2389945CF69
                                                                              Function 00456550 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 282comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,0045688D), ref: 00456592
                                                                              • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,0045688D), ref: 004565B8
                                                                              • SysFreeString.OLEAUT32(?), ref: 00456745
                                                                              Strings
                                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 0045672A
                                                                              • CoCreateInstance, xrefs: 004565C3
                                                                              • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 004567B6
                                                                              • IPersistFile::Save, xrefs: 00456814
                                                                              • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004566A7
                                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004566DB
                                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 0045677C
                                                                              • IPropertyStore::Commit, xrefs: 00456795
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInstance$FreeString
                                                                              • String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)
                                                                              • API String ID: 308859552-3936712486
                                                                              • Opcode ID: 7d0cfd58331e70c95d7e52b395728c42337191576a3ec6130da080a3535e9fef
                                                                              • Instruction ID: c99fdec92309fd26656a6f7ea9bd91ecf5cc306c054acb75a5569a06f28a4b2e
                                                                              • Opcode Fuzzy Hash: 7d0cfd58331e70c95d7e52b395728c42337191576a3ec6130da080a3535e9fef
                                                                              • Instruction Fuzzy Hash: 29A13E71A00104AFDB50EFA9C885B9E7BF8EF09706F55406AF804E7252DB38DD48CB69
                                                                              Function 0041B3BC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73EA4C40.GDI32(00000000,?,00000000,?), ref: 0041B3D3
                                                                              • 73EA4C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B3DD
                                                                              • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3EF
                                                                              • 73EA6180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B406
                                                                              • 73E9A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B412
                                                                              • 73EA4C00.GDI32(00000000,0000000B,?,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B43F
                                                                              • 73E9A480.USER32(00000000,00000000,0041B472,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B465
                                                                              • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                              • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                              • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                              • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Object$Select$Delete$A480A570A6180Stretch
                                                                              • String ID:
                                                                              • API String ID: 1888863034-0
                                                                              • Opcode ID: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
                                                                              • Instruction ID: 9e854467c286a28b18f31183f63f6c048648830cb6dea2264be82148a8da808a
                                                                              • Opcode Fuzzy Hash: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
                                                                              • Instruction Fuzzy Hash: DC419D71E40619AFDF10EAE9D846FAFB7B8EF08704F104466B614FB281D67969408BA4
                                                                              Function 00472DB8 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 337COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838
                                                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472F70
                                                                              • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00473077
                                                                              • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 0047308D
                                                                              • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 004730B2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                              • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                              • API String ID: 971782779-3668018701
                                                                              • Opcode ID: 0d90696b7f394c24cdb4db4d6ef42549a737ff1f83f29ed15b4b10dbb48a3fc8
                                                                              • Instruction ID: 1ded2309c22d90a9957aabde76cedeacc99048359e90752decbb9b8a0015ab1b
                                                                              • Opcode Fuzzy Hash: 0d90696b7f394c24cdb4db4d6ef42549a737ff1f83f29ed15b4b10dbb48a3fc8
                                                                              • Instruction Fuzzy Hash: 8FD12574A00149AFDB01EFA9D581BDDBBF5AF08305F50806AF804B7392D778AE45CB69
                                                                              Function 00454860 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                              • RegQueryValueExA.ADVAPI32(0045AECE,00000000,00000000,?,00000000,?,00000000,00454AF9,?,0045AECE,00000003,00000000,00000000,00454B30), ref: 00454979
                                                                                • Part of subcall function 0042E8D8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045325F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7
                                                                              • RegQueryValueExA.ADVAPI32(0045AECE,00000000,00000000,00000000,?,00000004,00000000,00454A43,?,0045AECE,00000000,00000000,?,00000000,?,00000000), ref: 004549FD
                                                                              • RegQueryValueExA.ADVAPI32(0045AECE,00000000,00000000,00000000,?,00000004,00000000,00454A43,?,0045AECE,00000000,00000000,?,00000000,?,00000000), ref: 00454A2C
                                                                              Strings
                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548D0
                                                                              • RegOpenKeyEx, xrefs: 004548FC
                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454897
                                                                              • , xrefs: 004548EA
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue$FormatMessageOpen
                                                                              • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                              • API String ID: 2812809588-1577016196
                                                                              • Opcode ID: 77e820d85456ec5b21a3348e7c864f635890ca9680278173730b6b5baa6068b5
                                                                              • Instruction ID: 44bd6ba1492406805f437c97fe518088f2f8e7c1bef0b67c8a01139b77ca8c69
                                                                              • Opcode Fuzzy Hash: 77e820d85456ec5b21a3348e7c864f635890ca9680278173730b6b5baa6068b5
                                                                              • Instruction Fuzzy Hash: C0911471944248ABDB10DFE5D942BDEB7FCEB48309F50406BF900FB282D6789E458B69
                                                                              Function 004597BC Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004596C8: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459805,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459715
                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459863
                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004599BD,?,00000000,00000000,00000000), ref: 004598CD
                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459934
                                                                              Strings
                                                                              • v2.0.50727, xrefs: 004598BF
                                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 004598E7
                                                                              • v4.0.30319, xrefs: 00459855
                                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00459880
                                                                              • .NET Framework version %s not found, xrefs: 0045996D
                                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00459816
                                                                              • v1.1.4322, xrefs: 00459926
                                                                              • .NET Framework not found, xrefs: 00459981
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Close$Open
                                                                              • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                              • API String ID: 2976201327-446240816
                                                                              • Opcode ID: a27e16b2435ffffe3ed3affd436a97f5188f93bd827438211cc6c054a476643b
                                                                              • Instruction ID: 729b419896cd5506e065475e0ee5015c208a67e93f4f54458093df2d8724af3d
                                                                              • Opcode Fuzzy Hash: a27e16b2435ffffe3ed3affd436a97f5188f93bd827438211cc6c054a476643b
                                                                              • Instruction Fuzzy Hash: 0051A030A04145EBCB04DFA9C8A1BEE77B69B59305F54447FA841DB393D63D9E0E8B18
                                                                              Function 00458DA8 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CloseHandle.KERNEL32(?), ref: 00458DDF
                                                                              • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458DFB
                                                                              • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458E09
                                                                              • GetExitCodeProcess.KERNEL32(?), ref: 00458E1A
                                                                              • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458E61
                                                                              • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458E7D
                                                                              Strings
                                                                              • Helper process exited, but failed to get exit code., xrefs: 00458E53
                                                                              • Helper isn't responding; killing it., xrefs: 00458DEB
                                                                              • Helper process exited with failure code: 0x%x, xrefs: 00458E47
                                                                              • Helper process exited., xrefs: 00458E29
                                                                              • Stopping 64-bit helper process. (PID: %u), xrefs: 00458DD1
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                              • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                              • API String ID: 3355656108-1243109208
                                                                              • Opcode ID: e1e6f1a428ddc606cbac7e5be58ccbeaead76fc5c320782193580adc03ed748c
                                                                              • Instruction ID: b06cb4cb11178ece3cea1db1bc2ca69ea432733d5239d7d0987fb8f0d427a68f
                                                                              • Opcode Fuzzy Hash: e1e6f1a428ddc606cbac7e5be58ccbeaead76fc5c320782193580adc03ed748c
                                                                              • Instruction Fuzzy Hash: D9216D706047009AD720E679C44275BB6E59F08709F04CC2FB999EB293DF78E8488B2A
                                                                              Function 00454514 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DDF4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE20
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546EB,?,00000000,004547AF), ref: 0045463B
                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546EB,?,00000000,004547AF), ref: 00454777
                                                                                • Part of subcall function 0042E8D8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045325F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7
                                                                              Strings
                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454553
                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454583
                                                                              • , xrefs: 0045459D
                                                                              • RegCreateKeyEx, xrefs: 004545AF
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateFormatMessageQueryValue
                                                                              • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                              • API String ID: 2481121983-1280779767
                                                                              • Opcode ID: a579990beb4c9b51ec5b3fea0749880c5f06a70a884d2fa71269d98e88c3cf61
                                                                              • Instruction ID: a200d9e45076b9aa1c9026ee470310bfc0f5ccdb1a8093a9a555fb12639cba12
                                                                              • Opcode Fuzzy Hash: a579990beb4c9b51ec5b3fea0749880c5f06a70a884d2fa71269d98e88c3cf61
                                                                              • Instruction Fuzzy Hash: 6C81DE75A00209AFDB00DFD5C941BDFB7F9EB49309F50442AE901FB282D7789A45CB69
                                                                              Function 00496620 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004538A8: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 00453997
                                                                                • Part of subcall function 004538A8: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 004539A7
                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0049669D
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,004967F1), ref: 004966BE
                                                                              • CreateWindowExA.USER32(00000000,STATIC,00496800,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 004966E5
                                                                              • SetWindowLongA.USER32(?,000000FC,00495E78), ref: 004966F8
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004967C4,?,?,000000FC,00495E78,00000000,STATIC,00496800), ref: 00496728
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 0049679C
                                                                              • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004967C4,?,?,000000FC,00495E78,00000000), ref: 004967A8
                                                                                • Part of subcall function 00453D1C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E03
                                                                              • 73EA5CF0.USER32(?,004967CB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004967C4,?,?,000000FC,00495E78,00000000,STATIC), ref: 004967BE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                              • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                              • API String ID: 170458502-2312673372
                                                                              • Opcode ID: c09fb920bc7669bd65d78bc4791726942d010f86c1ff051557e4c77676e60077
                                                                              • Instruction ID: 3fac7199250898b77632ea887e905273a0ca2a52c1bf25bf17bddf130f7f486a
                                                                              • Opcode Fuzzy Hash: c09fb920bc7669bd65d78bc4791726942d010f86c1ff051557e4c77676e60077
                                                                              • Instruction Fuzzy Hash: EE413D70A44208AFDF01EFA5DC42F9E7BB8EB09714F61457AF500F7291D6799E008BA8
                                                                              Function 0042E428 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E52D,?,00000000,0047E1E8,00000000), ref: 0042E451
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E457
                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E52D,?,00000000,0047E1E8,00000000), ref: 0042E4A5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressCloseHandleModuleProc
                                                                              • String ID: .DEFAULT\Control Panel\International$=aE$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                              • API String ID: 4190037839-1003587384
                                                                              • Opcode ID: 71ec1778410e517379c49e62a4abf791b893e005234a700e60dfa1d7d317b6f8
                                                                              • Instruction ID: 6214d84d9e891aa165dd1588e79579c1e4a82babed7fc21810c195be89e1891e
                                                                              • Opcode Fuzzy Hash: 71ec1778410e517379c49e62a4abf791b893e005234a700e60dfa1d7d317b6f8
                                                                              • Instruction Fuzzy Hash: 65215230B10219ABCB10EAE7DC45A9E77A8EB04318FA04877A500E7281EB7CDE41CA5C
                                                                              Function 00462D5C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetActiveWindow.USER32 ref: 00462D68
                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462D7C
                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462D89
                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462D96
                                                                              • GetWindowRect.USER32(?,00000000), ref: 00462DE2
                                                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462E20
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                              • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                              • API String ID: 2610873146-3407710046
                                                                              • Opcode ID: 07f038a1b45edca227de97dbc4e3a49cc5475e4390ab333f174a5f731d21d9c4
                                                                              • Instruction ID: 308e9426e96dcd15a0811dc773674cbbce9379ede84ac64ebea6e7762974983c
                                                                              • Opcode Fuzzy Hash: 07f038a1b45edca227de97dbc4e3a49cc5475e4390ab333f174a5f731d21d9c4
                                                                              • Instruction Fuzzy Hash: 8421A775701B046FD3019A64DD41F3B3395DB94714F08453AF944EB381E6B9EC018A9A
                                                                              Function 0042F198 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetActiveWindow.USER32 ref: 0042F1A4
                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1B8
                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1C5
                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1D2
                                                                              • GetWindowRect.USER32(?,00000000), ref: 0042F21E
                                                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F25C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                              • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                              • API String ID: 2610873146-3407710046
                                                                              • Opcode ID: fc179306045cef01cc7feea5ef12c7621bc9e212612d9656ab7fba5f67810d88
                                                                              • Instruction ID: f96f766bc13e38d455a6b30724ea53c80225cfaaeacd9570d6dca051b777ffc7
                                                                              • Opcode Fuzzy Hash: fc179306045cef01cc7feea5ef12c7621bc9e212612d9656ab7fba5f67810d88
                                                                              • Instruction Fuzzy Hash: 3221D7797057149BD300D664ED81F3B33A4DB85B14F88457AF944DB381D679EC044BA9
                                                                              Function 00458F80 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045915F,?,00000000,004591C2,?,?,02113858,00000000), ref: 00458FDD
                                                                              • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,004590F4,?,00000000,00000001,00000000,00000000,00000000,0045915F), ref: 0045903A
                                                                              • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,004590F4,?,00000000,00000001,00000000,00000000,00000000,0045915F), ref: 00459047
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00459093
                                                                              • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,004590CD,?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,004590F4,?,00000000), ref: 004590B9
                                                                              • GetLastError.KERNEL32(?,?,00000000,00000001,004590CD,?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,004590F4,?,00000000), ref: 004590C0
                                                                                • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                              • String ID: CreateEvent$TransactNamedPipe
                                                                              • API String ID: 2182916169-3012584893
                                                                              • Opcode ID: 1e3f92d8c22a05294e06b5c780760953f793dd62cf34ae2b617d69319ed8131f
                                                                              • Instruction ID: 50fb7c1009465aa7c5405e125e9101384e11cc4d6b330c20a7fc1de2f8ccdd80
                                                                              • Opcode Fuzzy Hash: 1e3f92d8c22a05294e06b5c780760953f793dd62cf34ae2b617d69319ed8131f
                                                                              • Instruction Fuzzy Hash: 68417F71A00608EFDB15DF99C985F9EB7F9EB08714F1044AAF904E72D2C6789E44CB28
                                                                              Function 00456B58 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456CBD,?,?,00000031,?), ref: 00456B80
                                                                              • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456B86
                                                                              • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456BD3
                                                                                • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                              • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                              • API String ID: 1914119943-2711329623
                                                                              • Opcode ID: 1f12b3bfc7457beb1676229d9a9ac5705a2be6c49cf36285249ab65db7443b7f
                                                                              • Instruction ID: a27b950e9f8baa5d3fd7d83d3f5f0f06fd95d714c0010da27a3b0cf72a10e13f
                                                                              • Opcode Fuzzy Hash: 1f12b3bfc7457beb1676229d9a9ac5705a2be6c49cf36285249ab65db7443b7f
                                                                              • Instruction Fuzzy Hash: AB319471B00604AFDB12EFAACC41D5BB7BDEB897557528466FC04D7252DA38DD04CB28
                                                                              Function 00401A90 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                              • LocalFree.KERNEL32(004E5418,00000000,00401B68), ref: 00401ACF
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,004E5418,00000000,00401B68), ref: 00401AEE
                                                                              • LocalFree.KERNEL32(004E6418,?,00000000,00008000,004E5418,00000000,00401B68), ref: 00401B2D
                                                                              • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                              • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                              • String ID: <jN$LjN$iN
                                                                              • API String ID: 3782394904-1687608800
                                                                              • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                              • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                              • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                              • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                              Function 00416D90 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RectVisible.GDI32(?,?), ref: 00416E23
                                                                              • SaveDC.GDI32(?), ref: 00416E37
                                                                              • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E5A
                                                                              • RestoreDC.GDI32(?,?), ref: 00416E75
                                                                              • CreateSolidBrush.GDI32(00000000), ref: 00416EF5
                                                                              • FrameRect.USER32(?,?,?), ref: 00416F28
                                                                              • DeleteObject.GDI32(?), ref: 00416F32
                                                                              • CreateSolidBrush.GDI32(00000000), ref: 00416F42
                                                                              • FrameRect.USER32(?,?,?), ref: 00416F75
                                                                              • DeleteObject.GDI32(?), ref: 00416F7F
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                              • String ID:
                                                                              • API String ID: 375863564-0
                                                                              • Opcode ID: e9e72d8966bdaf80817d84d11445bcfe7b70581a29c6dab9ad28bd9778771da1
                                                                              • Instruction ID: 305d9ddf0f7240c011be45b7bb8b7ddc49b42f68556790db257713301bb8c367
                                                                              • Opcode Fuzzy Hash: e9e72d8966bdaf80817d84d11445bcfe7b70581a29c6dab9ad28bd9778771da1
                                                                              • Instruction Fuzzy Hash: FC514C712086445FDB54EF69C8C0B9777E8AF48314F15466AFD488B287C738EC85CB99
                                                                              Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                              • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                              • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                              • String ID:
                                                                              • API String ID: 1694776339-0
                                                                              • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                              • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                              • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                              • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                              Function 004221F8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemMenu.USER32(00000000,00000000), ref: 00422243
                                                                              • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422261
                                                                              • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226E
                                                                              • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042227B
                                                                              • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422288
                                                                              • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422295
                                                                              • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004222A2
                                                                              • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004222AF
                                                                              • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222CD
                                                                              • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222E9
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Delete$EnableItem$System
                                                                              • String ID:
                                                                              • API String ID: 3985193851-0
                                                                              • Opcode ID: 510ebc35eb44907ae1e975f945bfd8864758d272309f2385250dfef8029dc5ab
                                                                              • Instruction ID: b791af981bedf3385b2dd143af085cc0c004e448fbd85fce69a0ff0a91ac5271
                                                                              • Opcode Fuzzy Hash: 510ebc35eb44907ae1e975f945bfd8864758d272309f2385250dfef8029dc5ab
                                                                              • Instruction Fuzzy Hash: 35213370340744BAE720D725DD8BF9B7BD89B04718F4440A5BA487F2D7C7F9AA80869C
                                                                              Function 004812DC Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FreeLibrary.KERNEL32(10000000), ref: 00481499
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 004814AD
                                                                              • SendNotifyMessageA.USER32(000203D2,00000496,00002710,00000000), ref: 0048151F
                                                                              Strings
                                                                              • DeinitializeSetup, xrefs: 00481395
                                                                              • Not restarting Windows because Setup is being run from the debugger., xrefs: 004814CE
                                                                              • Restarting Windows., xrefs: 004814FA
                                                                              • Deinitializing Setup., xrefs: 004812FA
                                                                              • GetCustomSetupExitCode, xrefs: 00481339
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary$MessageNotifySend
                                                                              • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                              • API String ID: 3817813901-1884538726
                                                                              • Opcode ID: cfffdee43b38d7813a81b11c3b84a740b2c32b2c8dbaa0def3367d9992a49e61
                                                                              • Instruction ID: fb8259b883485ef9100c7f5c1e95e74d54582b152ce66d5af1bc00326fba4159
                                                                              • Opcode Fuzzy Hash: cfffdee43b38d7813a81b11c3b84a740b2c32b2c8dbaa0def3367d9992a49e61
                                                                              • Instruction Fuzzy Hash: 4451A034704240AFD711EB69D895B2E7BE9FB59704F50887BE801C72B1DB38A846CB5D
                                                                              Function 004619F8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SHGetMalloc.SHELL32(?), ref: 00461A33
                                                                              • GetActiveWindow.USER32 ref: 00461A97
                                                                              • CoInitialize.OLE32(00000000), ref: 00461AAB
                                                                              • SHBrowseForFolder.SHELL32(?), ref: 00461AC2
                                                                              • CoUninitialize.OLE32(00461B03,00000000,?,?,?,?,?,00000000,00461B87), ref: 00461AD7
                                                                              • SetActiveWindow.USER32(?,00461B03,00000000,?,?,?,?,?,00000000,00461B87), ref: 00461AED
                                                                              • SetActiveWindow.USER32(?,?,00461B03,00000000,?,?,?,?,?,00000000,00461B87), ref: 00461AF6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                              • String ID: A
                                                                              • API String ID: 2684663990-3554254475
                                                                              • Opcode ID: 6bf2c69099c90f86a267e24c634b690acb1506b8ce1301c413aa044d63ad6a36
                                                                              • Instruction ID: 1302daae15839a874164301860301a8b98b45f7dd6f96d3c0913b4bd506695dd
                                                                              • Opcode Fuzzy Hash: 6bf2c69099c90f86a267e24c634b690acb1506b8ce1301c413aa044d63ad6a36
                                                                              • Instruction Fuzzy Hash: 64314FB0E00248AFDB00EFE6D885A9EBBF8EB09304F51447AF404E7251E7785A44CF59
                                                                              Function 00472C68 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,00472D29,?,?,?,00000008,00000000,00000000,00000000,?,00472F85,?,?,00000000,004731F4), ref: 00472C8C
                                                                                • Part of subcall function 0042CDA4: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE1A
                                                                                • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049B628,004980C1,00000000,00498116,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472D29,?,?,?,00000008,00000000,00000000,00000000,?,00472F85), ref: 00472D03
                                                                              • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472D29,?,?,?,00000008,00000000,00000000,00000000), ref: 00472D09
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                              • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                              • API String ID: 884541143-1710247218
                                                                              • Opcode ID: e52ff7fc8aad4532f2121d8bd5e8e7392c558ff45c5d59df65582d72ab666be0
                                                                              • Instruction ID: a2498b92200520dbea2b626460b71344a260e4c3afc9e0684e621ff8b49742b9
                                                                              • Opcode Fuzzy Hash: e52ff7fc8aad4532f2121d8bd5e8e7392c558ff45c5d59df65582d72ab666be0
                                                                              • Instruction Fuzzy Hash: 731122303005087BD721EA66DD82B9E73ACCB88714F60853BB404B72D1CB7CEE02865C
                                                                              Function 0045D618 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D621
                                                                              • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D631
                                                                              • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D641
                                                                              • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D651
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc
                                                                              • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                              • API String ID: 190572456-3516654456
                                                                              • Opcode ID: fd665f86a4c397101f291ae51b8d6e2550680f8309e6d6ef8ebab45c29bb7339
                                                                              • Instruction ID: 6d5035e3426567f523c7c0f539c0fc89aa7e9857b83a97dd2a4ec5b9764e3533
                                                                              • Opcode Fuzzy Hash: fd665f86a4c397101f291ae51b8d6e2550680f8309e6d6ef8ebab45c29bb7339
                                                                              • Instruction Fuzzy Hash: 0D01ECB0900740DEEB24DFB6ACC572236A5ABA470AF14C13B980DD62A2D779044ADF2C
                                                                              Function 0041A8EC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041A9C9
                                                                              • 73EA4D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041AA03
                                                                              • SetBkColor.GDI32(?,?), ref: 0041AA18
                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA62
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041AA6D
                                                                              • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA7D
                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AABC
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041AAC6
                                                                              • SetBkColor.GDI32(00000000,?), ref: 0041AAD3
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Color$StretchText
                                                                              • String ID:
                                                                              • API String ID: 2984075790-0
                                                                              • Opcode ID: 318b750f44eee03e3b20258c50c4ae641761c2031fb7fe23ccccef054dc028d8
                                                                              • Instruction ID: 0e7efefeb240adcf91359f1fba61dc18d1efd34d50a4dd97ee32c9a960060edb
                                                                              • Opcode Fuzzy Hash: 318b750f44eee03e3b20258c50c4ae641761c2031fb7fe23ccccef054dc028d8
                                                                              • Instruction Fuzzy Hash: 9861C5B5A00105EFCB40EFADD985E9AB7F8AF08314B10856AF918DB261C735ED41CF68
                                                                              Function 00457F00 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                              • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,004580B4,?, /s ",?,regsvr32.exe",?,004580B4), ref: 00458026
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseDirectoryHandleSystem
                                                                              • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                              • API String ID: 2051275411-1862435767
                                                                              • Opcode ID: 55f146e1ef8f4e902545c9b8fd40e77843967da88cee367bff3e11b3e7507cae
                                                                              • Instruction ID: 809e342f07c36c5fe80e3456e65159aecd70c9e1b429d99a18f855550af0e9f5
                                                                              • Opcode Fuzzy Hash: 55f146e1ef8f4e902545c9b8fd40e77843967da88cee367bff3e11b3e7507cae
                                                                              • Instruction Fuzzy Hash: 97411570A043086BDB10EFD5D842B8EF7B9AB49705F51407FA904BB292DF789A0D8B19
                                                                              Function 0044D188 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1B9
                                                                              • GetSysColor.USER32(00000014), ref: 0044D1C0
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044D1D8
                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D201
                                                                              • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D20B
                                                                              • GetSysColor.USER32(00000010), ref: 0044D212
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044D22A
                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D253
                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D27E
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Text$Color$Draw$OffsetRect
                                                                              • String ID:
                                                                              • API String ID: 1005981011-0
                                                                              • Opcode ID: 0dad7e536888b1c395f42d34690ba7b0fa2f949a96348ff67bbd6a991a2663e5
                                                                              • Instruction ID: 3cb6cff9cb4fe1f97db5fca9cf7ecf77bacdc285bba155e9e6a5fbb2dce94e66
                                                                              • Opcode Fuzzy Hash: 0dad7e536888b1c395f42d34690ba7b0fa2f949a96348ff67bbd6a991a2663e5
                                                                              • Instruction Fuzzy Hash: 4921CFB42015007FC710FB6ACD8AE8B7BDCDF19319B01857AB918EB393C678DD408669
                                                                              Function 0041B67C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFocus.USER32 ref: 0041B755
                                                                              • 73E9A570.USER32(?), ref: 0041B761
                                                                              • 73E98830.GDI32(00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B796
                                                                              • 73E922A0.GDI32(00000000,00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B7A2
                                                                              • 73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B7D0
                                                                              • 73E98830.GDI32(00000000,00000000,00000000,0041B811,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B804
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: E98830$A570A6310E922Focus
                                                                              • String ID: k H
                                                                              • API String ID: 184897721-1447039187
                                                                              • Opcode ID: 4650e7e3a4975632b128e642f4d75ab8ab1f3030e92489ac81d42ae66184f42b
                                                                              • Instruction ID: e4fa2330707e2e3496a7563b6e1a8945dd65194040c1b513b55e56702052f46b
                                                                              • Opcode Fuzzy Hash: 4650e7e3a4975632b128e642f4d75ab8ab1f3030e92489ac81d42ae66184f42b
                                                                              • Instruction Fuzzy Hash: 33512D74A00208AFCB11DFA9C855AEEBBF9FF49704F104466F504A7390D7789981CBA9
                                                                              Function 0041B94C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFocus.USER32 ref: 0041BA27
                                                                              • 73E9A570.USER32(?), ref: 0041BA33
                                                                              • 73E98830.GDI32(00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA6D
                                                                              • 73E922A0.GDI32(00000000,00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA79
                                                                              • 73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BA9D
                                                                              • 73E98830.GDI32(00000000,00000000,00000000,0041BADE,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BAD1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: E98830$A570A6310E922Focus
                                                                              • String ID: k H
                                                                              • API String ID: 184897721-1447039187
                                                                              • Opcode ID: 69b514878c6882b8832b1f329327574619d6a3e89a85ba6a4f0b9ad1becc3db2
                                                                              • Instruction ID: 8a06375b061ea5bfc02952791cdae78cf5b61e443f36c9dad2d84499db0416b2
                                                                              • Opcode Fuzzy Hash: 69b514878c6882b8832b1f329327574619d6a3e89a85ba6a4f0b9ad1becc3db2
                                                                              • Instruction Fuzzy Hash: FE510975A002189FCB11DFA9C891AAEBBF9FF49700F15806AF504EB751D7789D40CBA4
                                                                              Function 00495EC4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00450918: SetEndOfFile.KERNEL32(?,?,0045C6A6,00000000,0045C831,?,00000000,00000002,00000002), ref: 0045091F
                                                                                • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049B628,004980C1,00000000,00498116,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 00495F55
                                                                              • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00495F69
                                                                              • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00495F83
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495F8F
                                                                              • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495F95
                                                                              • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495FA8
                                                                              Strings
                                                                              • Deleting Uninstall data files., xrefs: 00495ECB
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                              • String ID: Deleting Uninstall data files.
                                                                              • API String ID: 1570157960-2568741658
                                                                              • Opcode ID: 23da1316c50969bb810f13416529c5ad46a4d90d4c3b6db3608d618ecf590902
                                                                              • Instruction ID: fec72cc46ef3efd5c3c8e8a450f489c3c08d507a48e2b84f6ee45df75d5b7e94
                                                                              • Opcode Fuzzy Hash: 23da1316c50969bb810f13416529c5ad46a4d90d4c3b6db3608d618ecf590902
                                                                              • Instruction Fuzzy Hash: 34219571304610AFEB11EB75ECC2B2637A8EB54338F61053BF504DA1E6D678AC008B1D
                                                                              Function 004704A4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                              • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004705A1,?,?,?,?,00000000), ref: 0047050B
                                                                              • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004705A1), ref: 00470522
                                                                              • AddFontResourceA.GDI32(00000000), ref: 0047053F
                                                                              • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00470553
                                                                              Strings
                                                                              • Failed to set value in Fonts registry key., xrefs: 00470514
                                                                              • Failed to open Fonts registry key., xrefs: 00470529
                                                                              • AddFontResource, xrefs: 0047055D
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                              • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                              • API String ID: 955540645-649663873
                                                                              • Opcode ID: 2b4b64eddd1924655c58b9871aff7fb9a4f934a6e6bff31d8454543361526e14
                                                                              • Instruction ID: 66ce3b01f7eb708e2302e7809b1ea03697ff66c32de1c99646f3643d23023453
                                                                              • Opcode Fuzzy Hash: 2b4b64eddd1924655c58b9871aff7fb9a4f934a6e6bff31d8454543361526e14
                                                                              • Instruction Fuzzy Hash: 62216570741204BBDB10EA669C42FAE779D9B55708F50843BB904EB3C2D67CDE028A5D
                                                                              Function 0046319C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00416420: GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                                • Part of subcall function 00416420: UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                                • Part of subcall function 00416420: RegisterClassA.USER32(?), ref: 004164DE
                                                                              • GetVersion.KERNEL32 ref: 004631CC
                                                                              • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 0046320A
                                                                              • SHGetFileInfo.SHELL32(004632A8,00000000,?,00000160,00004011), ref: 00463227
                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 00463245
                                                                              • SetCursor.USER32(00000000,00000000,00007F02,004632A8,00000000,?,00000160,00004011), ref: 0046324B
                                                                              • SetCursor.USER32(?,0046328B,00007F02,004632A8,00000000,?,00000160,00004011), ref: 0046327E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                              • String ID: Explorer
                                                                              • API String ID: 2594429197-512347832
                                                                              • Opcode ID: e51ab44d2e52b3d60675834673e9b9904728f2271d1ef9b75da4c79774d1131e
                                                                              • Instruction ID: b0d998c5e58c3251a46d3edbb0a2afbc6be3b3781793d4cbec8386629f90fe5f
                                                                              • Opcode Fuzzy Hash: e51ab44d2e52b3d60675834673e9b9904728f2271d1ef9b75da4c79774d1131e
                                                                              • Instruction Fuzzy Hash: FA21E7307403446AEB10FF795C57F9A7698DB09709F5040BFF605EA1C3EA7C8908866D
                                                                              Function 0047828C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02112BE0,?,?,?,02112BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782A5
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004782AB
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BE0,?,?,?,02112BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782BE
                                                                              • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BE0,?,?,?,02112BE0), ref: 004782E8
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,02112BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 00478306
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                              • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                              • API String ID: 2704155762-2318956294
                                                                              • Opcode ID: 626e47d356fab76083b756a204e0250164ee9b03011d355f3d3167744cb8654e
                                                                              • Instruction ID: d6ca79aa4c48c3adffb9da4b01ee7f27494699adf3768a2d59cb90ace03db172
                                                                              • Opcode Fuzzy Hash: 626e47d356fab76083b756a204e0250164ee9b03011d355f3d3167744cb8654e
                                                                              • Instruction Fuzzy Hash: 5701C4707C0B0466E520316E4D8AFEB554C8B54B69F54813F7E0CEA2C2DDAE8D06016E
                                                                              Function 004019CC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                              • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                              • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                              • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                              • String ID: <jN$LjN$iN
                                                                              • API String ID: 730355536-1687608800
                                                                              • Opcode ID: 0971dfa849a4ffc4cae04a3e1ff9e59bd0eaa306d87ad714f1f0155365df5b79
                                                                              • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                              • Opcode Fuzzy Hash: 0971dfa849a4ffc4cae04a3e1ff9e59bd0eaa306d87ad714f1f0155365df5b79
                                                                              • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                              Function 0045A170 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,0045A2F2,?,00000000,00000000,00000000,?,00000006,?,00000000,0049722D,?,00000000,004972D0), ref: 0045A236
                                                                                • Part of subcall function 004543E0: FindClose.KERNEL32(000000FF,004544D6), ref: 004544C5
                                                                              Strings
                                                                              • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0045A2AB
                                                                              • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0045A210
                                                                              • Failed to delete directory (%d). Will retry later., xrefs: 0045A24F
                                                                              • Failed to strip read-only attribute., xrefs: 0045A204
                                                                              • Failed to delete directory (%d)., xrefs: 0045A2CC
                                                                              • Deleting directory: %s, xrefs: 0045A1BF
                                                                              • Stripped read-only attribute., xrefs: 0045A1F8
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseErrorFindLast
                                                                              • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                              • API String ID: 754982922-1448842058
                                                                              • Opcode ID: 3a6653ca049153ac913e3aecd6f83d976b01ed6d176f23095ac7eac981277501
                                                                              • Instruction ID: e72d66395cbcced70a1ff0d39e5b36b51bb4b2a363b16cebf3a96f2a9050ba33
                                                                              • Opcode Fuzzy Hash: 3a6653ca049153ac913e3aecd6f83d976b01ed6d176f23095ac7eac981277501
                                                                              • Instruction Fuzzy Hash: 9A41A730A042449ACB00DBA988463AE76A55F4930AF5486BBBC04D7393CB7D8E1D875F
                                                                              Function 00422E60 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCapture.USER32 ref: 00422EB4
                                                                              • GetCapture.USER32 ref: 00422EC3
                                                                              • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EC9
                                                                              • ReleaseCapture.USER32 ref: 00422ECE
                                                                              • GetActiveWindow.USER32 ref: 00422EDD
                                                                              • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F5C
                                                                              • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FC0
                                                                              • GetActiveWindow.USER32 ref: 00422FCF
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                              • String ID:
                                                                              • API String ID: 862346643-0
                                                                              • Opcode ID: f8c2677d6609ac077b52c6186ee7afb2eac2e0eedff02b6813b422cc668acf14
                                                                              • Instruction ID: 0c1e69f79f034fd7694da938dfb4ae80f60ee9794ae3f0b0e2c785ff7ec3c7d8
                                                                              • Opcode Fuzzy Hash: f8c2677d6609ac077b52c6186ee7afb2eac2e0eedff02b6813b422cc668acf14
                                                                              • Instruction Fuzzy Hash: E4413F70B00254AFDB10EB6ADA42B9A77F1EF44304F5540BAF500AB392DB78AE40DB5D
                                                                              Function 0042F2A0 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0042F2CA
                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0042F2E1
                                                                              • GetActiveWindow.USER32 ref: 0042F2EA
                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F317
                                                                              • SetActiveWindow.USER32(?,0042F447,00000000,?), ref: 0042F338
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveLong$Message
                                                                              • String ID:
                                                                              • API String ID: 2785966331-0
                                                                              • Opcode ID: 511403c039d27e5fd3d4a37a0efbe646b1f0bba5a7b321b537e6f3b04ffedf77
                                                                              • Instruction ID: 0493a3c03df3966e51b4b777c60d25e7c68e0b9e8cdf2dbcd65ae894a3a71964
                                                                              • Opcode Fuzzy Hash: 511403c039d27e5fd3d4a37a0efbe646b1f0bba5a7b321b537e6f3b04ffedf77
                                                                              • Instruction Fuzzy Hash: 7631B471A00654AFDB01EFB5DC52E6EBBB8EB09714B91447AF804E3691D738AD10CB58
                                                                              Function 00429490 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73E9A570.USER32(00000000), ref: 0042949A
                                                                              • GetTextMetricsA.GDI32(00000000), ref: 004294A3
                                                                                • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 004294B2
                                                                              • GetTextMetricsA.GDI32(00000000,?), ref: 004294BF
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 004294C6
                                                                              • 73E9A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004294CE
                                                                              • GetSystemMetrics.USER32(00000006), ref: 004294F3
                                                                              • GetSystemMetrics.USER32(00000006), ref: 0042950D
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                                                              • String ID:
                                                                              • API String ID: 361401722-0
                                                                              • Opcode ID: ed5406780fbe6b6ddf9677d4a66f370c2a77f814a30f66ac1398573dbf155f17
                                                                              • Instruction ID: f9189b99ec718bdc55f682ba078bc6b9c4dab98ca430e676b6dc028aca6f8884
                                                                              • Opcode Fuzzy Hash: ed5406780fbe6b6ddf9677d4a66f370c2a77f814a30f66ac1398573dbf155f17
                                                                              • Instruction Fuzzy Hash: 3301E1917087513BFB11B67A9CC2F6B61C8CB8435CF44043FFA459A3D2D96C9C80866A
                                                                              Function 0041DE34 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73E9A570.USER32(00000000,?,00419069,004985AE), ref: 0041DE37
                                                                              • 73EA4620.GDI32(00000000,0000005A,00000000,?,00419069,004985AE), ref: 0041DE41
                                                                              • 73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419069,004985AE), ref: 0041DE4E
                                                                              • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE5D
                                                                              • GetStockObject.GDI32(00000007), ref: 0041DE6B
                                                                              • GetStockObject.GDI32(00000005), ref: 0041DE77
                                                                              • GetStockObject.GDI32(0000000D), ref: 0041DE83
                                                                              • LoadIconA.USER32(00000000,00007F00), ref: 0041DE94
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ObjectStock$A4620A480A570IconLoad
                                                                              • String ID:
                                                                              • API String ID: 2905290459-0
                                                                              • Opcode ID: c7b946ff5d18463f692f08f3109d9fac972284bfbf41894a6d0fe66ccf938658
                                                                              • Instruction ID: 4e0a0a69a1fbcc37fa68332f5170e2556ef2fd96a8c36c1a21edcb526b0e3b4b
                                                                              • Opcode Fuzzy Hash: c7b946ff5d18463f692f08f3109d9fac972284bfbf41894a6d0fe66ccf938658
                                                                              • Instruction Fuzzy Hash: E11100B06457015AE740FF666A92BA63694D724708F00813FF605AF3D2D7792C449B9E
                                                                              Function 004635AC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 004636B0
                                                                              • SetCursor.USER32(00000000,00000000,00007F02,00000000,00463745), ref: 004636B6
                                                                              • SetCursor.USER32(?,0046372D,00007F02,00000000,00463745), ref: 00463720
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$Load
                                                                              • String ID: $ $Internal error: Item already expanding
                                                                              • API String ID: 1675784387-1948079669
                                                                              • Opcode ID: 11d96d50149c7a0783bfaa5a1745a1d7ac95eac117891e2e72ad5ff3e9801c67
                                                                              • Instruction ID: 5f7148262a90782ca5f39c73a98182432cf514ee5891adbc4e31059349ad3c9c
                                                                              • Opcode Fuzzy Hash: 11d96d50149c7a0783bfaa5a1745a1d7ac95eac117891e2e72ad5ff3e9801c67
                                                                              • Instruction Fuzzy Hash: EEB19270600284DFD710DF29C585B9ABBF1AF04319F14C4AAE8459B792E778EE48CF5A
                                                                              Function 00453D1C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E03
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfileStringWrite
                                                                              • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                              • API String ID: 390214022-3304407042
                                                                              • Opcode ID: 4808755b3c6221495a972d98e090ec94bd7c13575b017f43438820c08e4f7dc1
                                                                              • Instruction ID: f7f3e57e327ad0b7fc32dd9a0c0ef844c3cf52932767352b59a94e8a2e0b7a1e
                                                                              • Opcode Fuzzy Hash: 4808755b3c6221495a972d98e090ec94bd7c13575b017f43438820c08e4f7dc1
                                                                              • Instruction Fuzzy Hash: 0E910534E001099BDB01EFA5D842BDEB7F5EF4874AF50806AE90077292D7786E49CB59
                                                                              Function 00476B6C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476BC5
                                                                              • 73EA59E0.USER32(00000000,000000FC,00476B20,00000000,00476E04,?,00000000,00476E2E), ref: 00476BEC
                                                                              • GetACP.KERNEL32(00000000,00476E04,?,00000000,00476E2E), ref: 00476C29
                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476C6F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ClassInfoMessageSend
                                                                              • String ID: COMBOBOX$Inno Setup: Language
                                                                              • API String ID: 1455646776-4234151509
                                                                              • Opcode ID: 93cc19c1f2ae3cdeb94a735bb7db030fa770b3f4550c722f8e96ab60bc3149ff
                                                                              • Instruction ID: 76a62d5c2b18ddabed1a1f2db415f61daf58d6c828ad3828204ddc2489713d7e
                                                                              • Opcode Fuzzy Hash: 93cc19c1f2ae3cdeb94a735bb7db030fa770b3f4550c722f8e96ab60bc3149ff
                                                                              • Instruction Fuzzy Hash: 4E813C346006059FC720DF69C985AEAB7F2FB09304F1580BAE849E7762D738ED41CB59
                                                                              Function 00408728 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,00408970,?,?,?,?,00000000,00000000,00000000,?,00409977,00000000,0040998A), ref: 00408742
                                                                                • Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                • Part of subcall function 004085BC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087BE,?,?,?,00000000,00408970), ref: 004085CF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale$DefaultSystem
                                                                              • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                              • API String ID: 1044490935-665933166
                                                                              • Opcode ID: c01586f9bbb032a7f0f1a98200a37c80c0f70fbac98b28b944ff8a28395f8419
                                                                              • Instruction ID: bf07bec6589cb82417a29d9109d5e68838e6a5c97ac1b9e4b464d3d1e075229e
                                                                              • Opcode Fuzzy Hash: c01586f9bbb032a7f0f1a98200a37c80c0f70fbac98b28b944ff8a28395f8419
                                                                              • Instruction Fuzzy Hash: 55513E24B00108ABD701FBA69E41A9E77A9DB94304F50C07FA541BB3C7DA3DDE05975D
                                                                              Function 00411704 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetVersion.KERNEL32(00000000,00411909), ref: 0041179C
                                                                              • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041185A
                                                                                • Part of subcall function 00411ABC: CreatePopupMenu.USER32 ref: 00411AD6
                                                                              • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118E6
                                                                                • Part of subcall function 00411ABC: CreateMenu.USER32 ref: 00411AE0
                                                                              • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118CD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                              • String ID: ,$?
                                                                              • API String ID: 2359071979-2308483597
                                                                              • Opcode ID: 0b2693d76eb6c03a37913dcbbd37782b63df6b44dbfb9d662716933429e9dd30
                                                                              • Instruction ID: df95c3f439c97799bb0998fa3429798e8a176efd4e8e18b788060c5868d8049e
                                                                              • Opcode Fuzzy Hash: 0b2693d76eb6c03a37913dcbbd37782b63df6b44dbfb9d662716933429e9dd30
                                                                              • Instruction Fuzzy Hash: BA51F674A00144ABDB10EF6ADC816DA7BF9AF09304B11857BF914E73A6E738DD41CB58
                                                                              Function 0041BE73 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetObjectA.GDI32(?,00000018,?), ref: 0041BF38
                                                                              • GetObjectA.GDI32(?,00000018,?), ref: 0041BF47
                                                                              • GetBitmapBits.GDI32(?,?,?), ref: 0041BF98
                                                                              • GetBitmapBits.GDI32(?,?,?), ref: 0041BFA6
                                                                              • DeleteObject.GDI32(?), ref: 0041BFAF
                                                                              • DeleteObject.GDI32(?), ref: 0041BFB8
                                                                              • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFD5
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                              • String ID:
                                                                              • API String ID: 1030595962-0
                                                                              • Opcode ID: 5d40efa9a489d930f0c3474e6c583d61de37ea4c8bf925e82c26674748b1ae5a
                                                                              • Instruction ID: 0934d86ca8fb123134a847d885dc0ae0ba41a9d0998c4bba382ea8cf266d8dc0
                                                                              • Opcode Fuzzy Hash: 5d40efa9a489d930f0c3474e6c583d61de37ea4c8bf925e82c26674748b1ae5a
                                                                              • Instruction Fuzzy Hash: 5A510571E00219AFCB14DFA9C8819EEBBF9EF48314B11442AF914E7391D738AD81CB64
                                                                              Function 0041CEE8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CF0E
                                                                              • 73EA4620.GDI32(00000000,00000026), ref: 0041CF2D
                                                                              • 73E98830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF93
                                                                              • 73E922A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CFA2
                                                                              • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D00C
                                                                              • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D04A
                                                                              • 73E98830.GDI32(?,?,00000001,0041D07C,00000000,00000026), ref: 0041D06F
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Stretch$E98830$A4620BitsE922Mode
                                                                              • String ID:
                                                                              • API String ID: 4209919087-0
                                                                              • Opcode ID: ba9b00c7f19e374317db92bbaed8cea8fa7d56fa7ee5636777b85d926aa1c199
                                                                              • Instruction ID: 415929d19c0355200a34ec50ec85ee50bdb26205500aadc12dd1df5ccaef5bc8
                                                                              • Opcode Fuzzy Hash: ba9b00c7f19e374317db92bbaed8cea8fa7d56fa7ee5636777b85d926aa1c199
                                                                              • Instruction Fuzzy Hash: 7A514EB0604200AFD714DFA9C995F9BBBF9EF08304F10859AB549DB292C779ED81CB58
                                                                              Function 00457114 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,?,?), ref: 00457166
                                                                                • Part of subcall function 0042428C: GetWindowTextA.USER32(?,?,00000100), ref: 004242AC
                                                                                • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                • Part of subcall function 0041EEB4: 73EA5940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042EEC0,?,00000001), ref: 0041EF09
                                                                                • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004571CD
                                                                              • TranslateMessage.USER32(?), ref: 004571EB
                                                                              • DispatchMessageA.USER32(?), ref: 004571F4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Message$TextWindow$A5940CurrentDispatchSendThreadTranslate
                                                                              • String ID: [Paused]
                                                                              • API String ID: 1715333840-4230553315
                                                                              • Opcode ID: a723b0617cbdde8b0455b730e79db8c0792bcf361dff27c4d69091156c9f8888
                                                                              • Instruction ID: cc82e29175726c0716c689c1ffa83d11e9869aeff1ced20ba9c80888b84e3111
                                                                              • Opcode Fuzzy Hash: a723b0617cbdde8b0455b730e79db8c0792bcf361dff27c4d69091156c9f8888
                                                                              • Instruction Fuzzy Hash: 013196309082489EDB11DBB5EC81FDEBBB8DB49314F5540B7F800E7292D67C9909CB69
                                                                              Function 0046B758 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursor.USER32(00000000,0046B897), ref: 0046B814
                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 0046B822
                                                                              • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B897), ref: 0046B828
                                                                              • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B897), ref: 0046B832
                                                                              • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B897), ref: 0046B838
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$LoadSleep
                                                                              • String ID: CheckPassword
                                                                              • API String ID: 4023313301-1302249611
                                                                              • Opcode ID: 653d9654f76fc9f2c348947714f395caa5fd1a5bea1654e8e7fe328d35dfe1b3
                                                                              • Instruction ID: aec6a0205c5a75bc54f0fc291e1a1f9730d999611bc1887dd1e74dc6007ab6bd
                                                                              • Opcode Fuzzy Hash: 653d9654f76fc9f2c348947714f395caa5fd1a5bea1654e8e7fe328d35dfe1b3
                                                                              • Instruction Fuzzy Hash: 333164346406049FD711EB69C889F9E7BE4EF49304F5580B6F844DB3A2D778AD40CB99
                                                                              Function 00477B88 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00477AB0: GetWindowThreadProcessId.USER32(00000000), ref: 00477AB8
                                                                                • Part of subcall function 00477AB0: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477BAF,0049C0A4,00000000), ref: 00477ACB
                                                                                • Part of subcall function 00477AB0: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477AD1
                                                                              • SendMessageA.USER32(00000000,0000004A,00000000,00477F42), ref: 00477BBD
                                                                              • GetTickCount.KERNEL32 ref: 00477C02
                                                                              • GetTickCount.KERNEL32 ref: 00477C0C
                                                                              • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477C61
                                                                              Strings
                                                                              • CallSpawnServer: Unexpected response: $%x, xrefs: 00477BF2
                                                                              • CallSpawnServer: Unexpected status: %d, xrefs: 00477C4A
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                              • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                              • API String ID: 613034392-3771334282
                                                                              • Opcode ID: 56bd6ace22e6e2035f5031cc9978de37ae905e15686cac3f17074c750df7538a
                                                                              • Instruction ID: 65d184c56696bd8d6baefe4a5ac293f093c2dd543b1706e930bc299cdf77f89e
                                                                              • Opcode Fuzzy Hash: 56bd6ace22e6e2035f5031cc9978de37ae905e15686cac3f17074c750df7538a
                                                                              • Instruction Fuzzy Hash: B131A474B042149ADB11EBB988867EEB6A09F48304F90C47AF548EB392D67C9E41879D
                                                                              Function 00459AE8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00459BA3
                                                                              Strings
                                                                              • Failed to load .NET Framework DLL "%s", xrefs: 00459B88
                                                                              • CreateAssemblyCache, xrefs: 00459B9A
                                                                              • .NET Framework CreateAssemblyCache function failed, xrefs: 00459BC6
                                                                              • Fusion.dll, xrefs: 00459B43
                                                                              • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00459BAE
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc
                                                                              • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                              • API String ID: 190572456-3990135632
                                                                              • Opcode ID: edece01ff0b44ec29f5677049ed357158d3b305d3ba0728d372a41e2f192b5a4
                                                                              • Instruction ID: 1db31b6b51e2e068c3f61674d824012408e1fbc1d182cf764eafebb5ab4ea00f
                                                                              • Opcode Fuzzy Hash: edece01ff0b44ec29f5677049ed357158d3b305d3ba0728d372a41e2f192b5a4
                                                                              • Instruction Fuzzy Hash: EF318970E00619EBDB01EFA5C88169EB7B8AF44315F50857BE814E7382D738AE09C799
                                                                              Function 0041C158 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0041C058: GetObjectA.GDI32(?,00000018), ref: 0041C065
                                                                              • GetFocus.USER32 ref: 0041C178
                                                                              • 73E9A570.USER32(?), ref: 0041C184
                                                                              • 73E98830.GDI32(?,?,00000000,00000000,0041C203,?,?), ref: 0041C1A5
                                                                              • 73E922A0.GDI32(?,?,?,00000000,00000000,0041C203,?,?), ref: 0041C1B1
                                                                              • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1C8
                                                                              • 73E98830.GDI32(?,00000000,00000000,0041C20A,?,?), ref: 0041C1F0
                                                                              • 73E9A480.USER32(?,?,0041C20A,?,?), ref: 0041C1FD
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: E98830$A480A570BitsE922FocusObject
                                                                              • String ID:
                                                                              • API String ID: 2688936647-0
                                                                              • Opcode ID: 32c019c2b17a625013bd7d07803e420f9d7b692fe3dc5f877fb11705181084ab
                                                                              • Instruction ID: a51b9c7cee13939b32e911f1849152ebfa7eb0d73570b73294f05c7218cf190f
                                                                              • Opcode Fuzzy Hash: 32c019c2b17a625013bd7d07803e420f9d7b692fe3dc5f877fb11705181084ab
                                                                              • Instruction Fuzzy Hash: A0116A71E40609BBDB10DBE9CC85FAFBBFCEF48700F54446AB518E7281D67899008B28
                                                                              Function 00418C64 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemMetrics.USER32(0000000E), ref: 00418C80
                                                                              • GetSystemMetrics.USER32(0000000D), ref: 00418C88
                                                                              • 6F9A2980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C8E
                                                                                • Part of subcall function 004099C0: 6F99C400.COMCTL32(0049B628,000000FF,00000000,00418CBC,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004099C4
                                                                              • 6FA0CB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CDE
                                                                              • 6FA0C740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CE9
                                                                              • 6FA0CB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000), ref: 00418CFC
                                                                              • 6F9A0860.COMCTL32(0049B628,00418D1F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E), ref: 00418D12
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: MetricsSystem$A0860A2980C400C740
                                                                              • String ID:
                                                                              • API String ID: 1086221473-0
                                                                              • Opcode ID: 33c04b7a68779a44c69ffbd8ad79940853ad3b201d45ee57610259a2e4dbeb77
                                                                              • Instruction ID: e0b43fe86d74620756cf035266125a11838772e9d6ef4bcae2e69295d5b8951d
                                                                              • Opcode Fuzzy Hash: 33c04b7a68779a44c69ffbd8ad79940853ad3b201d45ee57610259a2e4dbeb77
                                                                              • Instruction Fuzzy Hash: A11149B1744204BBEB10EBA9DC83F5E73B8DB48704F6044BAB604E72D2DB799D409759
                                                                              Function 004836EC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004837A4), ref: 00483789
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                              • API String ID: 47109696-2530820420
                                                                              • Opcode ID: ae1742725748cd88b87d9fe0d1248e5a5e1a514a3c9083b9a236ca5d7aa17843
                                                                              • Instruction ID: 8316402a246994b7737153b66ed252a9f16b12b2be78e08e0fa98e077eb8f510
                                                                              • Opcode Fuzzy Hash: ae1742725748cd88b87d9fe0d1248e5a5e1a514a3c9083b9a236ca5d7aa17843
                                                                              • Instruction Fuzzy Hash: 0311B1B4704244AADB10FF65CC52B5E7AE9DB41B19F60C87BA400A7282EB38CA05875C
                                                                              Function 00494ED8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73E9A570.USER32(00000000,?,?,00000000), ref: 00494EE9
                                                                                • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00494F0B
                                                                              • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495489), ref: 00494F1F
                                                                              • GetTextMetricsA.GDI32(00000000,?), ref: 00494F41
                                                                              • 73E9A480.USER32(00000000,00000000,00494F6B,00494F64,?,00000000,?,?,00000000), ref: 00494F5E
                                                                              Strings
                                                                              • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00494F16
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                                                              • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                              • API String ID: 1435929781-222967699
                                                                              • Opcode ID: f7d6f97b91dc48adac3cf3527b9ba73e93ee7bba49e4f60ed72cccac08d23d6d
                                                                              • Instruction ID: 6f18d4fe6cef93123b0455e30b82395b7dbfc0c8f911bccc88a8e51c4d6277b1
                                                                              • Opcode Fuzzy Hash: f7d6f97b91dc48adac3cf3527b9ba73e93ee7bba49e4f60ed72cccac08d23d6d
                                                                              • Instruction Fuzzy Hash: 95018476A04609BFEB00DBA9CC41F5EB7ECDB89704F51447AB600E7281D678AE018B28
                                                                              Function 0041B472 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                              • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                              • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                              • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ObjectSelect$Delete$Stretch
                                                                              • String ID:
                                                                              • API String ID: 1458357782-0
                                                                              • Opcode ID: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                              • Instruction ID: 28529174ed8a1a36c66279ad8c479dcd7ed434ba0fbaa502c63cdd0cc078bbc5
                                                                              • Opcode Fuzzy Hash: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                              • Instruction Fuzzy Hash: A1114C72E40559ABDF10D6D9D885FAFB3BCEF08704F048456B614FB241C678A8418B54
                                                                              Function 004233A4 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursorPos.USER32 ref: 004233BF
                                                                              • WindowFromPoint.USER32(?,?), ref: 004233CC
                                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233DA
                                                                              • GetCurrentThreadId.KERNEL32 ref: 004233E1
                                                                              • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233FA
                                                                              • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423411
                                                                              • SetCursor.USER32(00000000), ref: 00423423
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                              • String ID:
                                                                              • API String ID: 1770779139-0
                                                                              • Opcode ID: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
                                                                              • Instruction ID: 219e0d69ac6b6a38dcb61baa39fbc914f783b163521ae56cddb293ea60412e1c
                                                                              • Opcode Fuzzy Hash: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
                                                                              • Instruction Fuzzy Hash: E601D42230472036D6217B795C86E2F26A8CFC5B15F50457FB649BB283DA3D8C0063BD
                                                                              Function 00494CFC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 00494D0C
                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00494D19
                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00494D26
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModule
                                                                              • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                              • API String ID: 667068680-2254406584
                                                                              • Opcode ID: 70207861a9ddbbfcf1ec4c2ebf1ed82301f215222d5c3051e71e037128298d5d
                                                                              • Instruction ID: 42226921e916c2e61715a17367c32eae2b2292ab525ca03b869d6a68ec0a34c4
                                                                              • Opcode Fuzzy Hash: 70207861a9ddbbfcf1ec4c2ebf1ed82301f215222d5c3051e71e037128298d5d
                                                                              • Instruction Fuzzy Hash: 6CF0F69AB41B1466DA2025B68C81F7B698CCFD1B71F050337BE04A7382ED9D8D0642AD
                                                                              Function 0045D9EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D9F5
                                                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045DA05
                                                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045DA15
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc
                                                                              • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                              • API String ID: 190572456-212574377
                                                                              • Opcode ID: 01040e06415ef817a4763b016626a28be3372e477bb5bd5db3809bf0997a53ea
                                                                              • Instruction ID: e47ea2fb967bc5a05fa6d8d3c64fcba096cc564050e4d812c51f788cc71ed1ca
                                                                              • Opcode Fuzzy Hash: 01040e06415ef817a4763b016626a28be3372e477bb5bd5db3809bf0997a53ea
                                                                              • Instruction Fuzzy Hash: 2BF030B0D05300DFEB24DFB29CC372336959BA4316F14803B9A0D96267D278088CCE2C
                                                                              Function 0042EA2C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,00480D8E), ref: 0042EA45
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA4B
                                                                              • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA5C
                                                                                • Part of subcall function 0042E9BC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA80,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9D2
                                                                                • Part of subcall function 0042E9BC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9D8
                                                                                • Part of subcall function 0042E9BC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9E9
                                                                              • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA70
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                              • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                              • API String ID: 142928637-2676053874
                                                                              • Opcode ID: d06cc84e9d2e4e0b448c748badd712702b96776d6b0267aa2fd44745f5a2b4d6
                                                                              • Instruction ID: 2c8c4e1fda890c3dedf4e0e73620de090a3a9d5666271f16a874a7bcdd66483b
                                                                              • Opcode Fuzzy Hash: d06cc84e9d2e4e0b448c748badd712702b96776d6b0267aa2fd44745f5a2b4d6
                                                                              • Instruction Fuzzy Hash: 52E092A1741720EAEA10B7B67CC6F9A2668E714729F54403BF100A51E1C3BD1C80CE9E
                                                                              Function 0044C7EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F099), ref: 0044C7FB
                                                                              • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C80C
                                                                              • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C81C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoad
                                                                              • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                              • API String ID: 2238633743-1050967733
                                                                              • Opcode ID: c58342e6ebd42d3e550f5fa79659fa064c9032f03f8e913941057cc824ddc2bd
                                                                              • Instruction ID: d5a6e329c062b47ae4ba9e11e7719f1ec1b45dd3e70fac445fdcae0b1af11dcb
                                                                              • Opcode Fuzzy Hash: c58342e6ebd42d3e550f5fa79659fa064c9032f03f8e913941057cc824ddc2bd
                                                                              • Instruction Fuzzy Hash: 64F0FE70246305CAFB50BBB5FDC67223694E3A4B0AF18137BE40156192D7BC4444CF4C
                                                                              Function 00478B3C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,004985F4), ref: 00478B42
                                                                              • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478B4F
                                                                              • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478B5F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModule
                                                                              • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                              • API String ID: 667068680-222143506
                                                                              • Opcode ID: dff5fcaa570554af533fa68d6d4d47fa30ed3b2efb34bda6c6df081b9be12d17
                                                                              • Instruction ID: 8ade474bf949b7c868f23be577f60042bf37b8b7e1302e6d2b868e4e2d48ad49
                                                                              • Opcode Fuzzy Hash: dff5fcaa570554af533fa68d6d4d47fa30ed3b2efb34bda6c6df081b9be12d17
                                                                              • Instruction Fuzzy Hash: D4C0E9F0AC1740EEAA00E7F15CDAD762558D514B34724943F754DAA193D97D58044A2C
                                                                              Function 0041B518 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFocus.USER32 ref: 0041B58E
                                                                              • 73E9A570.USER32(?,00000000,0041B668,?,?,?,?), ref: 0041B59A
                                                                              • 73EA4620.GDI32(?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5B6
                                                                              • 73ECE680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5D3
                                                                              • 73ECE680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668), ref: 0041B5EA
                                                                              • 73E9A480.USER32(?,?,0041B643,?,?), ref: 0041B636
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: E680$A4620A480A570Focus
                                                                              • String ID:
                                                                              • API String ID: 2226671993-0
                                                                              • Opcode ID: 5d7c3ba993e5eebd83af6d17b2c287e498e3d287d4e0c623dc28ca4d995b2802
                                                                              • Instruction ID: 7d41d09f6123fe0998bcf531a8d6f09bc5b1e179d78523dd82c4b1b978091a2c
                                                                              • Opcode Fuzzy Hash: 5d7c3ba993e5eebd83af6d17b2c287e498e3d287d4e0c623dc28ca4d995b2802
                                                                              • Instruction Fuzzy Hash: 7E41D571A04254AFDB10DFA9C886EAFBBB4EB55704F1484AAF500EB351D3389D11CBA5
                                                                              Function 0045D3B0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetLastError.KERNEL32(00000057,00000000,0045D47C,?,?,?,?,00000000), ref: 0045D41B
                                                                              • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D4E8,?,00000000,0045D47C,?,?,?,?,00000000), ref: 0045D45A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                              • API String ID: 1452528299-1580325520
                                                                              • Opcode ID: 4cfdc77ab01fb36c91946a35bece077a72b39e520f3a0bad4193af408e0f5770
                                                                              • Instruction ID: bfdb5615fdc952ab51c5d4d36cfcdc52ba3649a349ed7733e19bd606ff263fd4
                                                                              • Opcode Fuzzy Hash: 4cfdc77ab01fb36c91946a35bece077a72b39e520f3a0bad4193af408e0f5770
                                                                              • Instruction Fuzzy Hash: A6117835A04204ABD731DE95C941A5E76DCDF46306F608077AD0596283D67C6F0A952A
                                                                              Function 0041BD9C Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemMetrics.USER32(0000000B), ref: 0041BDE5
                                                                              • GetSystemMetrics.USER32(0000000C), ref: 0041BDEF
                                                                              • 73E9A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDF9
                                                                              • 73EA4620.GDI32(00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE20
                                                                              • 73EA4620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE2D
                                                                              • 73E9A480.USER32(00000000,00000000,0041BE73,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE66
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: A4620MetricsSystem$A480A570
                                                                              • String ID:
                                                                              • API String ID: 4120540252-0
                                                                              • Opcode ID: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
                                                                              • Instruction ID: cee0947e7f2791638d7e7c91bd9cc57ffb528c4a132e606019bcc307a049f0f1
                                                                              • Opcode Fuzzy Hash: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
                                                                              • Instruction Fuzzy Hash: 40212C74E046499FEB00EFA9C982BEEB7B4EB48714F10842AF514B7781D7785940CBA9
                                                                              Function 0047E264 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0047E272
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CFF1), ref: 0047E298
                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0047E2A8
                                                                              • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E2C9
                                                                              • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E2DD
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E2F9
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Long$Show
                                                                              • String ID:
                                                                              • API String ID: 3609083571-0
                                                                              • Opcode ID: f65d960a6ef7549d8abdb9e067b5e5f1b226f2d151c0a96430342ef03e516e78
                                                                              • Instruction ID: 64a3e6c2176d4acc74ea6130292171d5cd043058eec335b926c35577e1896bc6
                                                                              • Opcode Fuzzy Hash: f65d960a6ef7549d8abdb9e067b5e5f1b226f2d151c0a96430342ef03e516e78
                                                                              • Instruction Fuzzy Hash: DE010CB5651210ABE600D769DE41F66379CAB0D334F0503AAB959DF2E3C729EC009B49
                                                                              Function 0041B280 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0041A6F0: CreateBrushIndirect.GDI32 ref: 0041A75B
                                                                              • UnrealizeObject.GDI32(00000000), ref: 0041B28C
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B29E
                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041B2C1
                                                                              • SetBkMode.GDI32(?,00000002), ref: 0041B2CC
                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041B2E7
                                                                              • SetBkMode.GDI32(?,00000001), ref: 0041B2F2
                                                                                • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                              • String ID:
                                                                              • API String ID: 3527656728-0
                                                                              • Opcode ID: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                              • Instruction ID: 5f3c9a08814bcb0dec11b684bd4148c9aa8da507e688bf70d4fc6563dceee2e6
                                                                              • Opcode Fuzzy Hash: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                              • Instruction Fuzzy Hash: 7EF0C2B1651501ABCE00FFBAD9CAE4B37A89F043097088057B544DF197C97CD8548B3D
                                                                              Function 0049772C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                              • ShowWindow.USER32(?,00000005,00000000,00497991,?,?,00000000), ref: 00497762
                                                                                • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                • Part of subcall function 004072B0: SetCurrentDirectoryA.KERNEL32(00000000,?,0049778A,00000000,0049795D,?,?,00000005,00000000,00497991,?,?,00000000), ref: 004072BB
                                                                                • Part of subcall function 0042D45C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4EA,?,?,?,00000001,?,0045606A,00000000,004560D2), ref: 0042D491
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                              • String ID: .dat$.msg$IMsg$Uninstall
                                                                              • API String ID: 3312786188-1660910688
                                                                              • Opcode ID: 8060b02bfbd0833a98a3e6243afb85b8b494b7fa2efbfb07078fe99f385005b5
                                                                              • Instruction ID: bbf2e7f3574d42a9113524bdb42c94a944b0e97273f2a70b882bd080beededf8
                                                                              • Opcode Fuzzy Hash: 8060b02bfbd0833a98a3e6243afb85b8b494b7fa2efbfb07078fe99f385005b5
                                                                              • Instruction Fuzzy Hash: 8E318F74A10214AFDB00EF65DC82D6E7BB5EB89318B51847AF800AB392D739BD01CB58
                                                                              Function 0042EAB8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EAEA
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAF0
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB19
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                              • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                              • API String ID: 828529508-2866557904
                                                                              • Opcode ID: 915f5369749bf1dd2f4e97bc9020bef18acdf07caf1deb2404a0262322aa2bf8
                                                                              • Instruction ID: f5c55ae169209784706469d1b6e96428d25835975ad7b3a5622eb1d8c2489c6d
                                                                              • Opcode Fuzzy Hash: 915f5369749bf1dd2f4e97bc9020bef18acdf07caf1deb2404a0262322aa2bf8
                                                                              • Instruction Fuzzy Hash: 2DF022E078062136E620E2BFACC3F6B498C8FA0725F040436F009EA2C2E92C9900422E
                                                                              Function 00457E34 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00457E64
                                                                              • GetExitCodeProcess.KERNEL32(?,00498116), ref: 00457E85
                                                                              • CloseHandle.KERNEL32(?,00457EB8,?,?,004586D3,00000000,00000000), ref: 00457EAB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                              • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                              • API String ID: 2573145106-3235461205
                                                                              • Opcode ID: 575e6b60f34cbf4eff7e6cad29998e42f3eca010a17ab32e5b4d53f7e3c6a35f
                                                                              • Instruction ID: 6a931132ee958b8202ab537f65b64b7fb4871f4dbf11571726e28c2ddef09419
                                                                              • Opcode Fuzzy Hash: 575e6b60f34cbf4eff7e6cad29998e42f3eca010a17ab32e5b4d53f7e3c6a35f
                                                                              • Instruction Fuzzy Hash: 1101A735604704AFDB11EB999D43A1E77A8DB49711F5004B6FC10E73D3D63C9D048618
                                                                              Function 0042E9BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA80,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9D2
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9D8
                                                                              • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9E9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                              • String ID: ChangeWindowMessageFilter$user32.dll
                                                                              • API String ID: 3478007392-2498399450
                                                                              • Opcode ID: 9d5cf1aadbd407eeb031432e352e4554899be5068d45876e9cc0d059751b9763
                                                                              • Instruction ID: 5ef4959e42d5312267b3952f4de6be483a2b5690063b138e9708ef51bd19b1c3
                                                                              • Opcode Fuzzy Hash: 9d5cf1aadbd407eeb031432e352e4554899be5068d45876e9cc0d059751b9763
                                                                              • Instruction Fuzzy Hash: A3E0ECB1741314EADA106B62BECBF5A2558E724B15F54043BF101751F2C7BD2C80C95E
                                                                              Function 00477AB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 00477AB8
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477BAF,0049C0A4,00000000), ref: 00477ACB
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477AD1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                              • String ID: AllowSetForegroundWindow$user32.dll
                                                                              • API String ID: 1782028327-3855017861
                                                                              • Opcode ID: 68b371c1f4cd94bc20bebdce253c565989975d555a3c9a3b5155311c67ca03d8
                                                                              • Instruction ID: 8233eca9c26ae86130ab8a2651ceb45e7b9436c82c984da63702dcb6f06a18e2
                                                                              • Opcode Fuzzy Hash: 68b371c1f4cd94bc20bebdce253c565989975d555a3c9a3b5155311c67ca03d8
                                                                              • Instruction Fuzzy Hash: 27D0A7A0208300A6ED10F3F14C47E6F224C8D847587A4C43B7404E3182CABCE900993C
                                                                              Function 00416C3C Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • BeginPaint.USER32(00000000,?), ref: 00416C62
                                                                              • SaveDC.GDI32(?), ref: 00416C93
                                                                              • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D55), ref: 00416CF4
                                                                              • RestoreDC.GDI32(?,?), ref: 00416D1B
                                                                              • EndPaint.USER32(00000000,?,00416D5C,00000000,00416D55), ref: 00416D4F
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                              • String ID:
                                                                              • API String ID: 3808407030-0
                                                                              • Opcode ID: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
                                                                              • Instruction ID: c70ebf24aed337d2f43398dc79d2f74fb7d9fd2825851e0a0ce007a429ecfdc3
                                                                              • Opcode Fuzzy Hash: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
                                                                              • Instruction Fuzzy Hash: D7413C70A04204AFDB04DB99D985FAE77F9EB48304F1640AEE4059B362D778ED85CB58
                                                                              Function 00414810 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                              • Instruction ID: fc599d946787c0506e623d191f8eefd10b4a308858d20a9272ac2d3790a9447e
                                                                              • Opcode Fuzzy Hash: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                              • Instruction Fuzzy Hash: A1314F746047449FC320EF69C984BABB7E8AF89314F04891EF9D9C3752C638EC858B19
                                                                              Function 004297DC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429818
                                                                              • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429847
                                                                              • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429863
                                                                              • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042988E
                                                                              • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 004298AC
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: 52b5b48316c5d4ae37ce8577e0a97d76e0e4998a9a2ed84e03e9d155575d1481
                                                                              • Instruction ID: c447c4a9eb68fcc7219df142ffdb21218ba7f26748626b58278b549ffff81a32
                                                                              • Opcode Fuzzy Hash: 52b5b48316c5d4ae37ce8577e0a97d76e0e4998a9a2ed84e03e9d155575d1481
                                                                              • Instruction Fuzzy Hash: 3321AF707507057AE710BB66CC82F5B76ACEB42708F94043EB541AB2D2DF78ED41825C
                                                                              Function 0041BBC8 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemMetrics.USER32(0000000B), ref: 0041BBDA
                                                                              • GetSystemMetrics.USER32(0000000C), ref: 0041BBE4
                                                                              • 73E9A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC22
                                                                              • 73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD8D,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC69
                                                                              • DeleteObject.GDI32(00000000), ref: 0041BCAA
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: MetricsSystem$A570A6310DeleteObject
                                                                              • String ID:
                                                                              • API String ID: 3435189566-0
                                                                              • Opcode ID: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
                                                                              • Instruction ID: d912de8c3c57523408de13a46bdb54385142bc6a2202aaac6113f7462e2bca5d
                                                                              • Opcode Fuzzy Hash: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
                                                                              • Instruction Fuzzy Hash: CE314F74E00209EFDB04DFA5C941AAEB7F5EB48700F11856AF514AB381D7789E40DB98
                                                                              Function 00473848 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0045D3B0: SetLastError.KERNEL32(00000057,00000000,0045D47C,?,?,?,?,00000000), ref: 0045D41B
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,0047391C,?,?,0049C1D0,00000000), ref: 004738D5
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,0047391C,?,?,0049C1D0,00000000), ref: 004738EB
                                                                              Strings
                                                                              • Could not set permissions on the registry key because it currently does not exist., xrefs: 004738DF
                                                                              • Failed to set permissions on registry key (%d)., xrefs: 004738FC
                                                                              • Setting permissions on registry key: %s\%s, xrefs: 0047389A
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                              • API String ID: 1452528299-4018462623
                                                                              • Opcode ID: 65c899866a6f92bdc558b75d1f6f5c8f40dffa86cd9e0ff42c768141b597e19f
                                                                              • Instruction ID: 0e56c8fb080e82cb73bff42131c1910bc7e2d1be1188aa0d4929b19add272574
                                                                              • Opcode Fuzzy Hash: 65c899866a6f92bdc558b75d1f6f5c8f40dffa86cd9e0ff42c768141b597e19f
                                                                              • Instruction Fuzzy Hash: D42186B0A046485FCB00DFA9C8816EEBBE5DF49315F50817BE508E7392D7B85A05CB6A
                                                                              Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                              • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$AllocString
                                                                              • String ID:
                                                                              • API String ID: 262959230-0
                                                                              • Opcode ID: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
                                                                              • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                              • Opcode Fuzzy Hash: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
                                                                              • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                              Function 004143F0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73E98830.GDI32(00000000,00000000,00000000), ref: 00414429
                                                                              • 73E922A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414431
                                                                              • 73E98830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414445
                                                                              • 73E922A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041444B
                                                                              • 73E9A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414456
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: E922E98830$A480
                                                                              • String ID:
                                                                              • API String ID: 3692852386-0
                                                                              • Opcode ID: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
                                                                              • Instruction ID: 307ee49d89b37f6f535ee678b6e17b633f9af621dfcf88cb872c79a1e2d754b8
                                                                              • Opcode Fuzzy Hash: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
                                                                              • Instruction Fuzzy Hash: A901D47121C3406AD200B63D8C45B9F6BEC8FC6314F05546EF494D7382C97ACC018765
                                                                              Function 00401548 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 45memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,<jN,?,?,?,004018B4), ref: 00401566
                                                                              • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,<jN,?,?,?,004018B4), ref: 0040158B
                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,<jN,?,?,?,004018B4), ref: 004015B1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual$Alloc$Free
                                                                              • String ID: <jN$LjN
                                                                              • API String ID: 3668210933-3836049723
                                                                              • Opcode ID: 4da9ee4765cce6e6c7be3d7cc9adf05dad1d6bab5239e3db9b33b19d934b365d
                                                                              • Instruction ID: ed10fda1d5a177d2a0c43996bc0be7fa2989f050302610c9045c0a13ae1d279a
                                                                              • Opcode Fuzzy Hash: 4da9ee4765cce6e6c7be3d7cc9adf05dad1d6bab5239e3db9b33b19d934b365d
                                                                              • Instruction Fuzzy Hash: AFF0C8716403206AEB315A294C85F133AD4DBC5754F104075BE09FF3DAD6B8980082AC
                                                                              Function 00406FAC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 0040700B
                                                                              • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00407085
                                                                              • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070DD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Enum$NameOpenResourceUniversal
                                                                              • String ID: Z
                                                                              • API String ID: 3604996873-1505515367
                                                                              • Opcode ID: eb416ea4a1b8f2daa77fdd812f136362b1db0fd9b9a9c64830d5574e342882dc
                                                                              • Instruction ID: 2ace50d644c075eff23e32fa5e1ddfe03b8fa53596be5d4ceb5675c655e146ae
                                                                              • Opcode Fuzzy Hash: eb416ea4a1b8f2daa77fdd812f136362b1db0fd9b9a9c64830d5574e342882dc
                                                                              • Instruction Fuzzy Hash: C0513070E04218ABDB15DF55CD41A9EBBB9FB49304F1041BAE910BB3D1C778AE418F5A
                                                                              Function 0044CFD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetRectEmpty.USER32(?), ref: 0044D05E
                                                                              • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D089
                                                                              • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D111
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: DrawText$EmptyRect
                                                                              • String ID:
                                                                              • API String ID: 182455014-2867612384
                                                                              • Opcode ID: 9bd908fd6ab002ebc51c141ad104fc93549b6590cb61d9638f2d60c2e4f6398c
                                                                              • Instruction ID: 2c2bbb7fbf4b59eae95d31c7b28000ca71a9f0321ec4255fb332cd8a4a3f7a8e
                                                                              • Opcode Fuzzy Hash: 9bd908fd6ab002ebc51c141ad104fc93549b6590cb61d9638f2d60c2e4f6398c
                                                                              • Instruction Fuzzy Hash: F6516071E00244AFDB10DFA5C885BDEBBF8AF49308F08847AE845EB255D778A945CB64
                                                                              Function 0042EF84 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • 73E9A570.USER32(00000000,00000000,0042F0D8,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042EFAE
                                                                                • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                              • SelectObject.GDI32(?,00000000), ref: 0042EFD1
                                                                              • 73E9A480.USER32(00000000,?,0042F0BD,00000000,0042F0B6,?,00000000,00000000,0042F0D8,?,?,?,?,00000000,00000000,00000000), ref: 0042F0B0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: A480A570CreateFontIndirectObjectSelect
                                                                              • String ID: ...\
                                                                              • API String ID: 2998766281-983595016
                                                                              • Opcode ID: da53642769cbe036028c7dc5c32fe254f1027efce08608ae13d670d4fc685408
                                                                              • Instruction ID: 4ea51e63949933808241df29427b07dd96e06abf1a704ffa26f869fa6ec4a11f
                                                                              • Opcode Fuzzy Hash: da53642769cbe036028c7dc5c32fe254f1027efce08608ae13d670d4fc685408
                                                                              • Instruction Fuzzy Hash: 2F315270B00128ABDF11EF96D841BAEB7B8EB48708FD1447BF410A7292D7785D49CA59
                                                                              Function 004538A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 00453997
                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 004539A7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateFileHandle
                                                                              • String ID: .tmp$_iu
                                                                              • API String ID: 3498533004-10593223
                                                                              • Opcode ID: dc109c8f01286b2989461901934a6d9e01325b966eab87418c3e389b569fc91a
                                                                              • Instruction ID: 4fa05f029f2566c48aedd37e5d2d112a05e3774389c58111587f2dbaaee79b9c
                                                                              • Opcode Fuzzy Hash: dc109c8f01286b2989461901934a6d9e01325b966eab87418c3e389b569fc91a
                                                                              • Instruction Fuzzy Hash: 9531A6B0A40149ABCF01EF95C982B9EBBB5AF44345F50452AF800B72C2D6785F058AAD
                                                                              Function 00416420 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                              • UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                              • RegisterClassA.USER32(?), ref: 004164DE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Class$InfoRegisterUnregister
                                                                              • String ID: @
                                                                              • API String ID: 3749476976-2766056989
                                                                              • Opcode ID: 8cb808bfaf21f9b6be1f4599df9655a946cb93d0bbb2725194c7e4a3bd3b9422
                                                                              • Instruction ID: 7ea39428e622c43f80c69b44bdb33f9ce6dea52ad5211df5dc1c1138561595a4
                                                                              • Opcode Fuzzy Hash: 8cb808bfaf21f9b6be1f4599df9655a946cb93d0bbb2725194c7e4a3bd3b9422
                                                                              • Instruction Fuzzy Hash: 0E318E706042009BD760EF68C981B9B77E5AB88308F04457FF985DB392DB39D9848B6A
                                                                              Function 00497BE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,00498530,00000000,00497CD6,?,?,00000000,0049B628), ref: 00497C50
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498530,00000000,00497CD6,?,?,00000000,0049B628), ref: 00497C79
                                                                              • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00497C92
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: File$Attributes$Move
                                                                              • String ID: isRS-%.3u.tmp
                                                                              • API String ID: 3839737484-3657609586
                                                                              • Opcode ID: 9f18e9119b438212db1bb595c56ccc89a7930ded87602de0aca2db56358788ed
                                                                              • Instruction ID: 213244b736f3eff521ec2db090c728ece63042f248bf50699bdf4cb02408e53f
                                                                              • Opcode Fuzzy Hash: 9f18e9119b438212db1bb595c56ccc89a7930ded87602de0aca2db56358788ed
                                                                              • Instruction Fuzzy Hash: 53214171E14219AFCF05EFA9C881AAFBBB8AB44714F50453BB814B72D1D6385E018B69
                                                                              Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                              • ExitProcess.KERNEL32 ref: 00404E0D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ExitMessageProcess
                                                                              • String ID: Error$Runtime error at 00000000
                                                                              • API String ID: 1220098344-2970929446
                                                                              • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                              • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                              • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                              • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                              Function 00456A34 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838
                                                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                              • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456A88
                                                                              • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456AB5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                              • String ID: LoadTypeLib$RegisterTypeLib
                                                                              • API String ID: 1312246647-2435364021
                                                                              • Opcode ID: 384f0062f956a7e6e5f729262f076ec348bfef461e3db0757be0fdeeca084a77
                                                                              • Instruction ID: 5567ca09ff2ddd9e87874ef4cfa4ab968baaa8f1c3db1669d027a8a21fc87fa6
                                                                              • Opcode Fuzzy Hash: 384f0062f956a7e6e5f729262f076ec348bfef461e3db0757be0fdeeca084a77
                                                                              • Instruction Fuzzy Hash: 20119331B00604AFDB11EFA6CD55A5EB7BDEB8A705B51C4B6BC04E3652DA389E04CB24
                                                                              Function 00456F8C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00456FA6
                                                                              • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00457043
                                                                              Strings
                                                                              • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00456FD2
                                                                              • Failed to create DebugClientWnd, xrefs: 0045700C
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                              • API String ID: 3850602802-3720027226
                                                                              • Opcode ID: e461573c832d53d536b60bdd09be1689879239ada0565844d92a82a55e03096e
                                                                              • Instruction ID: 61f5065308a022425a12d25e559eb7300ab1b4b0d104b50eccf394a1c4e119f6
                                                                              • Opcode Fuzzy Hash: e461573c832d53d536b60bdd09be1689879239ada0565844d92a82a55e03096e
                                                                              • Instruction Fuzzy Hash: 921123706082509BD300AB689C82B5F7BD89B55719F45403BF9859B3C3D7798C08C7AE
                                                                              Function 00495D70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495E38,?,00495E2C,00000000,00495E13), ref: 00495DDE
                                                                              • CloseHandle.KERNEL32(x^I,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495E38,?,00495E2C,00000000), ref: 00495DF5
                                                                                • Part of subcall function 00495CC8: GetLastError.KERNEL32(00000000,00495D60,?,?,?,?), ref: 00495CEC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateErrorHandleLastProcess
                                                                              • String ID: D$x^I
                                                                              • API String ID: 3798668922-903578107
                                                                              • Opcode ID: 39c0d8672a1bce61a407111d09c5e91ba0fa0ceca0774959188b9b62fea67dd3
                                                                              • Instruction ID: 0d7d1bccb2b79611993d32b5dcf50d38d0c3e5c5098d5d0063742a7482510134
                                                                              • Opcode Fuzzy Hash: 39c0d8672a1bce61a407111d09c5e91ba0fa0ceca0774959188b9b62fea67dd3
                                                                              • Instruction Fuzzy Hash: F201A1B1604648AFDF01EBA2DC42E9FBBACDF08704F60003AF904E72C1D6385E008A28
                                                                              Function 00478608 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                              • GetFocus.USER32 ref: 00478673
                                                                              • GetKeyState.USER32(0000007A), ref: 00478685
                                                                              • WaitMessage.USER32(?,00000000,004786AC,?,00000000,004786D3,?,?,00000001,00000000,?,?,?,0047FED4,00000000,00480D8E), ref: 0047868F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: FocusMessageStateTextWaitWindow
                                                                              • String ID: Wnd=$%x
                                                                              • API String ID: 1381870634-2927251529
                                                                              • Opcode ID: 1a422d4577b49dccfc2774414577709a46ec3ce372f56b5ec11200a8bbcf7a92
                                                                              • Instruction ID: ef44951ba698f020dd2967180cd2d6f5e0b89f016f08406409eb47c9a327eab3
                                                                              • Opcode Fuzzy Hash: 1a422d4577b49dccfc2774414577709a46ec3ce372f56b5ec11200a8bbcf7a92
                                                                              • Instruction Fuzzy Hash: 2411A374644244BFC700EF65DD45A9E7BF8EB49714B5184BAF408E3691DB38AE00CA6E
                                                                              Function 0046E8B8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E8C0
                                                                              • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E8CF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Time$File$LocalSystem
                                                                              • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                              • API String ID: 1748579591-1013271723
                                                                              • Opcode ID: 2e2682d59cfc45f7ed460395edcc4d500eda373c92ad7cb826f7e8648d0918d2
                                                                              • Instruction ID: 5dd70de3b3cbc2db986134396dd9c806d54cb2705fd1511918c86a199fc004ed
                                                                              • Opcode Fuzzy Hash: 2e2682d59cfc45f7ed460395edcc4d500eda373c92ad7cb826f7e8648d0918d2
                                                                              • Instruction Fuzzy Hash: 1711F8A440C3919AD340DF2AC44432BBBE4AF89704F44892EF9D8D6381E779C948DB77
                                                                              Function 00453F62 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F6F
                                                                                • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049B628,004980C1,00000000,00498116,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 00453F94
                                                                                • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: File$AttributesDeleteErrorLastMove
                                                                              • String ID: DeleteFile$MoveFile
                                                                              • API String ID: 3024442154-139070271
                                                                              • Opcode ID: 987ea279d6d59187c3e0b7c28975cb0d289204635ad797c92353d6d323b91857
                                                                              • Instruction ID: b42c41819cc20c1867e4fcb1ab4fb5766129ddbc0fc5112b2d6697d8e42203d6
                                                                              • Opcode Fuzzy Hash: 987ea279d6d59187c3e0b7c28975cb0d289204635ad797c92353d6d323b91857
                                                                              • Instruction Fuzzy Hash: 49F062716041455AEB01FAA5D84266EA3ECDB8430BFA0403BB800BB6C3DA3C9E09493D
                                                                              Function 00483644 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                              • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483685
                                                                              • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004836A8
                                                                              Strings
                                                                              • System\CurrentControlSet\Control\Windows, xrefs: 00483652
                                                                              • CSDVersion, xrefs: 0048367C
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpenQueryValue
                                                                              • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                              • API String ID: 3677997916-1910633163
                                                                              • Opcode ID: 753ec1cdaceecf10a2c10abed9fa14ba9196f183527e9def43a7b07e5ea74203
                                                                              • Instruction ID: 3c550b8be62ae6962ae8a8b2bb2136c6a1766c1456238aff6c9f059f5d92f743
                                                                              • Opcode Fuzzy Hash: 753ec1cdaceecf10a2c10abed9fa14ba9196f183527e9def43a7b07e5ea74203
                                                                              • Instruction Fuzzy Hash: B1F06D75E00208B6DF20EED88C45BAFB3BCAF14B05F204566E910E7381F6789B448B59
                                                                              Function 004596C8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459805,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459715
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                              • API String ID: 47109696-2631785700
                                                                              • Opcode ID: 2bb6d2a90fde3dca571cbffa0de55d15307f7e9fe95e0bdc468a8876b40318f9
                                                                              • Instruction ID: 5fc53f2980ca067f7fdefaa7aa50a153e5e830959166a8c5adde0da5508e813c
                                                                              • Opcode Fuzzy Hash: 2bb6d2a90fde3dca571cbffa0de55d15307f7e9fe95e0bdc468a8876b40318f9
                                                                              • Instruction Fuzzy Hash: 97F0AF35720150DBCB10EF5AE885B4E6298DB99396F50403BB985CB263C77CCC06CA99
                                                                              Function 0042D900 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B46,00000000,00453BE9,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FD9,00000000), ref: 0042D91A
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D920
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                              • API String ID: 1646373207-4063490227
                                                                              • Opcode ID: 9f11ee2d5e3000e0cdd038ccf0fc88bc65f7f941c6d0e4eb05ced4219cc1a029
                                                                              • Instruction ID: 1097081faf8e12b72459453f22f39748745641366cc83a46a0cb0e3cd7246884
                                                                              • Opcode Fuzzy Hash: 9f11ee2d5e3000e0cdd038ccf0fc88bc65f7f941c6d0e4eb05ced4219cc1a029
                                                                              • Instruction Fuzzy Hash: 5FE04FE1B40B1112D71066BA5C82B6B158E4B84724F90443B3994E62C3DDBCD9885A5D
                                                                              Function 0042EB64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAE0), ref: 0042EB72
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB78
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                              • API String ID: 1646373207-260599015
                                                                              • Opcode ID: ea69c1903bbb3952bc51afe47cebbdaeff40ebefb6d83304b24a691856bce627
                                                                              • Instruction ID: 186c8a8b24504359f9bd95d8817b94a00a7cf61d77d8ea7090d5fad6c77db3b3
                                                                              • Opcode Fuzzy Hash: ea69c1903bbb3952bc51afe47cebbdaeff40ebefb6d83304b24a691856bce627
                                                                              • Instruction Fuzzy Hash: 1CD0C792312732666D10F1F73CD1DBB098C89116753544477F505E5241D55DDD01196D
                                                                              Function 0044F754 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004985C2), ref: 0044F78F
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F795
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: NotifyWinEvent$user32.dll
                                                                              • API String ID: 1646373207-597752486
                                                                              • Opcode ID: ae93fc19694d9525260dce27dd3aecea032003b0c05c01207aef2e00a83e3bcb
                                                                              • Instruction ID: adaf68bc035e952e092e397114f6a1653fed54d9058db7208dfb757fc5d15743
                                                                              • Opcode Fuzzy Hash: ae93fc19694d9525260dce27dd3aecea032003b0c05c01207aef2e00a83e3bcb
                                                                              • Instruction Fuzzy Hash: F7E012F4E417049DEF00BBF5BA86B1E3A90E764718B01417FF404A62A2DB7C440C8E5D
                                                                              Function 00498338 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498618,00000001,00000000,0049863C), ref: 00498342
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498348
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                              • API String ID: 1646373207-834958232
                                                                              • Opcode ID: a3044ebe087eacdbfcba4854d25501df4a36c2cbac561551b3a8e0a3d6241fb5
                                                                              • Instruction ID: 7eda4cb16e2cba450c320cc229382d7be1fc12bfd2fbc27455de3eb8489cf644
                                                                              • Opcode Fuzzy Hash: a3044ebe087eacdbfcba4854d25501df4a36c2cbac561551b3a8e0a3d6241fb5
                                                                              • Instruction Fuzzy Hash: 88B092C128174298AC7032FA0C02A1F08084882F28718083F3C48F50C2CD6ED804182D
                                                                              Function 00464960 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0044B668: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F785,004985C2), ref: 0044B68F
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B6A7
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6B9
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6CB
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6DD
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6EF
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B701
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B713
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B725
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B737
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B749
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B75B
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B76D
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B77F
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B791
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B7A3
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7B5
                                                                                • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7C7
                                                                              • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004985EA), ref: 0046496F
                                                                              • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464975
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoad
                                                                              • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                              • API String ID: 2238633743-2683653824
                                                                              • Opcode ID: b0b0cc609965775dafbc177cfbf53c5f286fe0b9a785a06f0526f65a81a5d1e8
                                                                              • Instruction ID: ef62b78e1ecbbf86accf82cc5e54c74759ffbda80f6f2c7107c350d82a6c33f4
                                                                              • Opcode Fuzzy Hash: b0b0cc609965775dafbc177cfbf53c5f286fe0b9a785a06f0526f65a81a5d1e8
                                                                              • Instruction Fuzzy Hash: 48B092E06E2700A88E00B7FA2887B0B104895D0B1DB56063F704979092EB7C4008CD6E
                                                                              Function 0047D334 Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D4A8,?,?,?,?,00000000,0047D5FD,?,?,?,00000000,?,0047D70E), ref: 0047D484
                                                                              • FindClose.KERNEL32(000000FF,0047D4AF,0047D4A8,?,?,?,?,00000000,0047D5FD,?,?,?,00000000,?,0047D70E,00000000), ref: 0047D4A2
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileNext
                                                                              • String ID:
                                                                              • API String ID: 2066263336-0
                                                                              • Opcode ID: b2c7b71d20f6e59f381effc7c5b6ff5d5103613db955826220e612b659a83145
                                                                              • Instruction ID: 2979fa4f850f67a6d1e6d53d287e6b8f4dfe67a5ddfa55c2aaa4ecb03bfc0e13
                                                                              • Opcode Fuzzy Hash: b2c7b71d20f6e59f381effc7c5b6ff5d5103613db955826220e612b659a83145
                                                                              • Instruction Fuzzy Hash: CA812D70D0024DAFDF11DFA5CC55ADFBBB9EF49308F5080AAE808A7291D6399A46CF54
                                                                              Function 0047581C Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042EE40: GetTickCount.KERNEL32 ref: 0042EE46
                                                                                • Part of subcall function 0042EC98: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECCD
                                                                              • GetLastError.KERNEL32(00000000,00475991,?,?,0049C1D0,00000000), ref: 0047587A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CountErrorFileLastMoveTick
                                                                              • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                              • API String ID: 2406187244-2685451598
                                                                              • Opcode ID: 0a1b29da48a0e8fc9cf90d26d5d6551fdd5eac2558fd5f62cf07407676141883
                                                                              • Instruction ID: 8ae0701305b01ce1bca9537847079d861391bf026d2cb8563746cd807755024f
                                                                              • Opcode Fuzzy Hash: 0a1b29da48a0e8fc9cf90d26d5d6551fdd5eac2558fd5f62cf07407676141883
                                                                              • Instruction Fuzzy Hash: BB4166B0A006098FDB10EFA5D882ADE77B5EF48314F60853BE514BB351D7789A058BA9
                                                                              Function 00413D08 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDesktopWindow.USER32 ref: 00413D56
                                                                              • GetDesktopWindow.USER32 ref: 00413E0E
                                                                                • Part of subcall function 00418ED0: 6FA0C6F0.COMCTL32(?,00000000,00413FD3,00000000,004140E3,?,?,0049B628), ref: 00418EEC
                                                                                • Part of subcall function 00418ED0: ShowCursor.USER32(00000001,?,00000000,00413FD3,00000000,004140E3,?,?,0049B628), ref: 00418F09
                                                                              • SetCursor.USER32(00000000,?,?,?,?,00413B03,00000000,00413B16), ref: 00413E4C
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CursorDesktopWindow$Show
                                                                              • String ID:
                                                                              • API String ID: 2074268717-0
                                                                              • Opcode ID: d2c454668ecaa59f130cbdc0d7f98644b71464a6bea9d144c6b553ceac200a13
                                                                              • Instruction ID: 95de96b99ba854305cf3f6c98da1fc171ffd9c3687d173b50ed20deed18b133b
                                                                              • Opcode Fuzzy Hash: d2c454668ecaa59f130cbdc0d7f98644b71464a6bea9d144c6b553ceac200a13
                                                                              • Instruction Fuzzy Hash: 59411F75600250AFC710DF2AFA85B5677E1EB64319F15817BE404CB365DB38AD81CF98
                                                                              Function 00408A5C Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A7D
                                                                              • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AEC
                                                                              • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B87
                                                                              • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BC6
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: LoadString$FileMessageModuleName
                                                                              • String ID:
                                                                              • API String ID: 704749118-0
                                                                              • Opcode ID: 951c1155a055777031086f0b90c3083af3c2960daf331f13f5541ebbba7c3e7d
                                                                              • Instruction ID: 11344639af0fa1b95b6fef638a25282c94d515b30ba3ed4b3402aedba36e13da
                                                                              • Opcode Fuzzy Hash: 951c1155a055777031086f0b90c3083af3c2960daf331f13f5541ebbba7c3e7d
                                                                              • Instruction Fuzzy Hash: 843133706083849ED330EA658945B9F77D89B85304F40483FF6C8D72D1DB79A9048B67
                                                                              Function 0044E8D4 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E91D
                                                                                • Part of subcall function 0044CF60: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF92
                                                                              • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E9A1
                                                                                • Part of subcall function 0042BBC4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBD8
                                                                              • IsRectEmpty.USER32(?), ref: 0044E963
                                                                              • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E986
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                              • String ID:
                                                                              • API String ID: 855768636-0
                                                                              • Opcode ID: 919708f5ffdde2f57f521d6641e4cc0e1a287a75e8cdc9711807c6008472dbb9
                                                                              • Instruction ID: 03991ef50c1cdc1947edd1d0bf9da16660927dd763c0b41cb42d654f0fd6bbd7
                                                                              • Opcode Fuzzy Hash: 919708f5ffdde2f57f521d6641e4cc0e1a287a75e8cdc9711807c6008472dbb9
                                                                              • Instruction Fuzzy Hash: 47113871B5030027E250AA7A9C86B5B76899B88748F14093FB546EB3C7EE7DDC09429D
                                                                              Function 004952F4 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OffsetRect.USER32(?,?,00000000), ref: 00495358
                                                                              • OffsetRect.USER32(?,00000000,?), ref: 00495373
                                                                              • OffsetRect.USER32(?,?,00000000), ref: 0049538D
                                                                              • OffsetRect.USER32(?,00000000,?), ref: 004953A8
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: OffsetRect
                                                                              • String ID:
                                                                              • API String ID: 177026234-0
                                                                              • Opcode ID: 39b7304c59ecfeab53ef959acea8ec35100b2c2eb9a0585a5ab9f65ef9bb45fe
                                                                              • Instruction ID: af1c1dfc71d00ff4a9a929e8d6bf6bfabc08d13bc1b1844b1e7d273cf48c6b2a
                                                                              • Opcode Fuzzy Hash: 39b7304c59ecfeab53ef959acea8ec35100b2c2eb9a0585a5ab9f65ef9bb45fe
                                                                              • Instruction Fuzzy Hash: 94217CB6700701ABD700DE69CD85E5BB7DEEBC4344F24CA2AF954C7249D634ED0487A6
                                                                              Function 00417228 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursorPos.USER32 ref: 00417270
                                                                              • SetCursor.USER32(00000000), ref: 004172B3
                                                                              • GetLastActivePopup.USER32(?), ref: 004172DD
                                                                              • GetForegroundWindow.USER32(?), ref: 004172E4
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                              • String ID:
                                                                              • API String ID: 1959210111-0
                                                                              • Opcode ID: ab2bc15dd938f987afbfcd80c1a154205083a351e68354f3dc1a1c3122339836
                                                                              • Instruction ID: a2974bbdd40a4ad71efed6c963999b1e78101043f5dd1c0306289f7dfca9f025
                                                                              • Opcode Fuzzy Hash: ab2bc15dd938f987afbfcd80c1a154205083a351e68354f3dc1a1c3122339836
                                                                              • Instruction Fuzzy Hash: 4321A1313082018BCB20AB69E985AE733B1EF44754B0545ABF854CB352D73CDC82CB89
                                                                              Function 00494FAC Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MulDiv.KERNEL32(8B500000,00000008,?), ref: 00494FC1
                                                                              • MulDiv.KERNEL32(50142444,00000008,?), ref: 00494FD5
                                                                              • MulDiv.KERNEL32(F70577E8,00000008,?), ref: 00494FE9
                                                                              • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 00495007
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                              • Instruction ID: c81a7ae82503e1df060b9d2e8e6c822c04bb2cec442f3182d8fec1f0f0e8f71f
                                                                              • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                              • Instruction Fuzzy Hash: 48112472604204ABCF50DE99C8C4D9B7BECEF4D320B1541A6F918DB246D674DD408BA4
                                                                              Function 0041F490 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassInfoA.USER32(00400000,0041F480,?), ref: 0041F4B1
                                                                              • UnregisterClassA.USER32(0041F480,00400000), ref: 0041F4DA
                                                                              • RegisterClassA.USER32(00499598), ref: 0041F4E4
                                                                              • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F51F
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                              • String ID:
                                                                              • API String ID: 4025006896-0
                                                                              • Opcode ID: 17400656b2714228e1ab5d36733c826c34e0b7aebe27f437723bcf7a68a21383
                                                                              • Instruction ID: e8d232a05c88a2160d81946a52d6ac90de0a8bd7e5396313334bc6410d622602
                                                                              • Opcode Fuzzy Hash: 17400656b2714228e1ab5d36733c826c34e0b7aebe27f437723bcf7a68a21383
                                                                              • Instruction Fuzzy Hash: 7B011B722401047BDA10EB6DED81E9B3799D719314B11413BBA15E72A1D7369C154BAC
                                                                              Function 00454F68 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WaitForInputIdle.USER32(00000001,00000032), ref: 00454F94
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00454FB6
                                                                              • GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00454FC5
                                                                              • CloseHandle.KERNEL32(00000001,00454FF2,00454FEB,?,00000031,00000080,00000000,?,?,0045534B,00000080,0000003C,00000000,00455361), ref: 00454FE5
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                              • String ID:
                                                                              • API String ID: 4071923889-0
                                                                              • Opcode ID: 45540edf5afa8ba95db9dec670ac0957df4a9836c83591dc179b3e9a7f9926ac
                                                                              • Instruction ID: 44a5693fa59bfbe72ab063cfacecacb9b789a88f4d4f9747d0667cdf65a63c8e
                                                                              • Opcode Fuzzy Hash: 45540edf5afa8ba95db9dec670ac0957df4a9836c83591dc179b3e9a7f9926ac
                                                                              • Instruction Fuzzy Hash: 7201F9716046087EEB20979E8C06F6B7BACDF44774F610167F904DB2C2C6785D40C668
                                                                              Function 0040D210 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D227
                                                                              • LoadResource.KERNEL32(00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047C7C4,0000000A,REGDLL_EXE), ref: 0040D241
                                                                              • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047C7C4), ref: 0040D25B
                                                                              • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?), ref: 0040D265
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                              • String ID:
                                                                              • API String ID: 3473537107-0
                                                                              • Opcode ID: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
                                                                              • Instruction ID: 8b55825d53d46818f15098a3aa340eb6897fe62b828c159971ec5f2842f97e2f
                                                                              • Opcode Fuzzy Hash: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
                                                                              • Instruction Fuzzy Hash: ADF062736046046F8704EE9DA881D5B77ECDE88364310017FF908EB246DA38DD018B78
                                                                              Function 0047009C Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,00000000), ref: 004700ED
                                                                              Strings
                                                                              • Failed to set NTFS compression state (%d)., xrefs: 004700FE
                                                                              • Unsetting NTFS compression on directory: %s, xrefs: 004700D3
                                                                              • Setting NTFS compression on directory: %s, xrefs: 004700BB
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                              • API String ID: 1452528299-1392080489
                                                                              • Opcode ID: dfebb939fa925478a91c01d20c19499446f2cbe0988f19a8e93b7205f6de1292
                                                                              • Instruction ID: 8e5543267561a70d3fbbbef991b1365390ff1382f756d9cdf86c8bb39141f558
                                                                              • Opcode Fuzzy Hash: dfebb939fa925478a91c01d20c19499446f2cbe0988f19a8e93b7205f6de1292
                                                                              • Instruction Fuzzy Hash: C9011730E0928C96CF05D7ADA0412DDBBF4DF4D314F84C1AFA45DE7282DA790609879A
                                                                              Function 00470848 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(?,00000000), ref: 00470899
                                                                              Strings
                                                                              • Failed to set NTFS compression state (%d)., xrefs: 004708AA
                                                                              • Setting NTFS compression on file: %s, xrefs: 00470867
                                                                              • Unsetting NTFS compression on file: %s, xrefs: 0047087F
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                              • API String ID: 1452528299-3038984924
                                                                              • Opcode ID: 323dc33fe38fce2a535158e710f937577eac4405a22a140b88caf43724a8761b
                                                                              • Instruction ID: 78fa65e16581c334b53b8e167e27839d8ecb3154876bc13dabe901d18edf2e93
                                                                              • Opcode Fuzzy Hash: 323dc33fe38fce2a535158e710f937577eac4405a22a140b88caf43724a8761b
                                                                              • Instruction Fuzzy Hash: 5C01F430D092489ADB04A7E9A4412EDBBF49F09314F45C1ABA459E7282DAB9050947DB
                                                                              Function 00455D88 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                              • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045BB12,?,?,?,?,?,00000000,0045BB39), ref: 00455DC4
                                                                              • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045BB12,?,?,?,?,?,00000000), ref: 00455DCD
                                                                              • RemoveFontResourceA.GDI32(00000000), ref: 00455DDA
                                                                              • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455DEE
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                              • String ID:
                                                                              • API String ID: 4283692357-0
                                                                              • Opcode ID: 5aa6bc1fef2ece3e1d74d37f8f7457d5ece9b91b834f41029562ebbb00b702db
                                                                              • Instruction ID: 88a6b2d0cd2ebf9d052afffcb5c4be27c29a8e8e48dcb03e602a07ae18d4e81c
                                                                              • Opcode Fuzzy Hash: 5aa6bc1fef2ece3e1d74d37f8f7457d5ece9b91b834f41029562ebbb00b702db
                                                                              • Instruction Fuzzy Hash: E3F05EB6B4470176EA10B6B69C8BF2B229C9F54745F10883BBA00EF2C3D97CDC04962D
                                                                              Function 0047CA00 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CountSleepTick
                                                                              • String ID:
                                                                              • API String ID: 2227064392-0
                                                                              • Opcode ID: b259759894679f81c91e5f8e49ac887a4ee880673b8cc13734a950e5130029b9
                                                                              • Instruction ID: e9c2c7e2fc271270d41d52dba3350464f1e42bdffd51bbfd166b1ef271046f5a
                                                                              • Opcode Fuzzy Hash: b259759894679f81c91e5f8e49ac887a4ee880673b8cc13734a950e5130029b9
                                                                              • Instruction Fuzzy Hash: 93E02B7130964845CA24B2BE28C37BF4A88CB8536AB14453FF08CD6242C42C4D05956E
                                                                              Function 00478120 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E,?,?,?,?,?,004986AB,00000000), ref: 00478129
                                                                              • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E,?,?,?,?,?,004986AB), ref: 0047812F
                                                                              • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E), ref: 00478151
                                                                              • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E), ref: 00478162
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                              • String ID:
                                                                              • API String ID: 215268677-0
                                                                              • Opcode ID: fbd84f65280b9b42d2110702e409595f627c02f938f534a1f8f22361ecaea6e1
                                                                              • Instruction ID: 3331d84468cd062744280f6e1aa24963878bc2b2d96e3aea022572b3ec77581d
                                                                              • Opcode Fuzzy Hash: fbd84f65280b9b42d2110702e409595f627c02f938f534a1f8f22361ecaea6e1
                                                                              • Instruction Fuzzy Hash: 70F030716843016BD600EAB5CC82E9B77DCEB44754F04893E7E98D72C1DA79DC08AB66
                                                                              Function 00424250 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastActivePopup.USER32(?), ref: 0042425C
                                                                              • IsWindowVisible.USER32(?), ref: 0042426D
                                                                              • IsWindowEnabled.USER32(?), ref: 00424277
                                                                              • SetForegroundWindow.USER32(?), ref: 00424281
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                              • String ID:
                                                                              • API String ID: 2280970139-0
                                                                              • Opcode ID: 3290ed535df25d2f1ddaed747f1c047a4a496922c2b2cea1102cb49f09a67e5c
                                                                              • Instruction ID: cc3e18b4355afb8de1117362fa5ee1cc3bb5bcb08e60588071b409dab7082488
                                                                              • Opcode Fuzzy Hash: 3290ed535df25d2f1ddaed747f1c047a4a496922c2b2cea1102cb49f09a67e5c
                                                                              • Instruction Fuzzy Hash: DBE08691B02571929E71FA671881A9F018CCD45BE434602A7FD04F7243DB1CCC0041BC
                                                                              Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GlobalHandle.KERNEL32 ref: 00406287
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0040628E
                                                                              • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
                                                                              • GlobalLock.KERNEL32(00000000), ref: 00406299
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Global$AllocHandleLockUnlock
                                                                              • String ID:
                                                                              • API String ID: 2167344118-0
                                                                              • Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                              • Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
                                                                              • Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                              • Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D
                                                                              Function 0047A064 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047B8D5,?,00000000,00000000,00000001,00000000,0047A301,?,00000000), ref: 0047A2C5
                                                                              Strings
                                                                              • Failed to parse "reg" constant, xrefs: 0047A2CC
                                                                              • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A139
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                              • API String ID: 3535843008-1938159461
                                                                              • Opcode ID: e0d6e35170bf7ee4b8178599f1d76f9c45a53d37f1d162d859c7bf4591e85c05
                                                                              • Instruction ID: 3bf0094b3715a844c7fa4d69accdb7e726d223c3dcefaf8b2e4f531663087c06
                                                                              • Opcode Fuzzy Hash: e0d6e35170bf7ee4b8178599f1d76f9c45a53d37f1d162d859c7bf4591e85c05
                                                                              • Instruction Fuzzy Hash: 5F814174E00149AFCB10DF95D881ADEBBF9EF48314F5081AAE814B7392D7389E05CB99
                                                                              Function 0048300C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32(00000000,00483196,?,00000000,004831D7,?,?,?,?,00000000,00000000,00000000,?,0046C0D1), ref: 00483045
                                                                              • SetActiveWindow.USER32(?,00000000,00483196,?,00000000,004831D7,?,?,?,?,00000000,00000000,00000000,?,0046C0D1), ref: 00483057
                                                                              Strings
                                                                              • Will not restart Windows automatically., xrefs: 00483176
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveForeground
                                                                              • String ID: Will not restart Windows automatically.
                                                                              • API String ID: 307657957-4169339592
                                                                              • Opcode ID: f35973b3444d63abd30155c0fb60d5d87605f2a8390df662fe53ad2e28820558
                                                                              • Instruction ID: df9a9ae9a8219d8b6a1298420550b74bcee7fa449f44545fa147fc9774bd32fa
                                                                              • Opcode Fuzzy Hash: f35973b3444d63abd30155c0fb60d5d87605f2a8390df662fe53ad2e28820558
                                                                              • Instruction Fuzzy Hash: A7413330208340AED710FFA4DC9AB6E3BA4DB15F05F1408B7E9404B3A2D6BD5A04DB1D
                                                                              Function 0046CEB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              • Failed to proceed to next wizard page; aborting., xrefs: 0046CFCC
                                                                              • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CFE0
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                              • API String ID: 0-1974262853
                                                                              • Opcode ID: f8b0d9f73654ae948dfe63457d27392de8d2a8ebea4116114edd3800fcdd02ea
                                                                              • Instruction ID: 63d40b18a6e87dbc706e62a2b7ed59e25ea13cd94e581da409b3f01416405f56
                                                                              • Opcode Fuzzy Hash: f8b0d9f73654ae948dfe63457d27392de8d2a8ebea4116114edd3800fcdd02ea
                                                                              • Instruction Fuzzy Hash: 9A319E30A08244DFD711EB99D989BA977F6EB05308F1500FBF0489B392D779AE40CB1A
                                                                              Function 00478DB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                              • RegCloseKey.ADVAPI32(?,00478E9A,?,?,00000001,00000000,00000000,00478EB5), ref: 00478E83
                                                                              Strings
                                                                              • %s\%s_is1, xrefs: 00478E2C
                                                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478E0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                              • API String ID: 47109696-1598650737
                                                                              • Opcode ID: 3c218534b7aea35313477da1420f505f75d4b79f6803eaf18b753309f41f968f
                                                                              • Instruction ID: 403b8390735a8e98fed73365c843d129082673b7d0193522817cb9849c55968d
                                                                              • Opcode Fuzzy Hash: 3c218534b7aea35313477da1420f505f75d4b79f6803eaf18b753309f41f968f
                                                                              • Instruction Fuzzy Hash: 79218470B40208AFDB01DFAACC55A9EBBE8EB48304F90847EE904E7381DB785D018A59
                                                                              Function 00450154 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501E9
                                                                              • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045021A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ExecuteMessageSendShell
                                                                              • String ID: open
                                                                              • API String ID: 812272486-2758837156
                                                                              • Opcode ID: adeb5e276340ad6fa3d53176e38ffb5e58c1499704c489fbf40d86a9362c05b3
                                                                              • Instruction ID: 6e2feb9b457cb976a84d54f3b3258ed3b08e14d6ba220cef3ebd8abcd6e201e4
                                                                              • Opcode Fuzzy Hash: adeb5e276340ad6fa3d53176e38ffb5e58c1499704c489fbf40d86a9362c05b3
                                                                              • Instruction Fuzzy Hash: 62219474E40208AFDB00DFA5C886B9EB7F8EB44705F2081BAB514E7282D7789E05CB58
                                                                              Function 0045527C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShellExecuteEx.SHELL32(0000003C), ref: 00455318
                                                                              • GetLastError.KERNEL32(0000003C,00000000,00455361,?,?,00000001,00000001), ref: 00455329
                                                                                • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: DirectoryErrorExecuteLastShellSystem
                                                                              • String ID: <
                                                                              • API String ID: 893404051-4251816714
                                                                              • Opcode ID: 57012810d142c3df1a5160bec437aa7c33a0c7c828d826884eb3f35a8728d1b1
                                                                              • Instruction ID: ea799879bbb6ab716a70283d096866571a468ac1fa4b8cc73728b10af3e72d10
                                                                              • Opcode Fuzzy Hash: 57012810d142c3df1a5160bec437aa7c33a0c7c828d826884eb3f35a8728d1b1
                                                                              • Instruction Fuzzy Hash: 02215370A00609ABDB10DFA5D8926AE7BF8AF18355F50443AFC44E7281D7789949CB58
                                                                              Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                              • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                                • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                              • String ID: )
                                                                              • API String ID: 2227675388-1084416617
                                                                              • Opcode ID: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                                              • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                              • Opcode Fuzzy Hash: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                                              • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                              Function 004964FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496539
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Window
                                                                              • String ID: /INITPROCWND=$%x $@
                                                                              • API String ID: 2353593579-4169826103
                                                                              • Opcode ID: 552611a81f91654fc44d41bb0f0c519a98a2c07263e337a61ce07e3eab6c417a
                                                                              • Instruction ID: 8ac61a852f64af84e8a4d996ffe215da0ea6a1f7c0dd4c2642a2787a2d41e8fe
                                                                              • Opcode Fuzzy Hash: 552611a81f91654fc44d41bb0f0c519a98a2c07263e337a61ce07e3eab6c417a
                                                                              • Instruction Fuzzy Hash: C711A531A043089FDB01DF64E855BAE7BE8EB48324F52847BE404E7281DB3CE905CA58
                                                                              Function 00447424 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                              • SysFreeString.OLEAUT32(?), ref: 004474D6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: String$AllocByteCharFreeMultiWide
                                                                              • String ID: NIL Interface Exception$Unknown Method
                                                                              • API String ID: 3952431833-1023667238
                                                                              • Opcode ID: 258d3c6477c64922ebec54d5f4264d59c03dbf12c3c57b46792931bb3fd1eaaf
                                                                              • Instruction ID: aafd2560cbf8ba646f5ae6954b41d26adab4393ec7197c17a1bba45f9511721b
                                                                              • Opcode Fuzzy Hash: 258d3c6477c64922ebec54d5f4264d59c03dbf12c3c57b46792931bb3fd1eaaf
                                                                              • Instruction Fuzzy Hash: 0811D6306042049FEB10DFA59D42A6EBBACEB49704F91403AF504E7681C7789D01CB69
                                                                              Function 0042DD74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD88
                                                                              • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDC8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Value$EnumQuery
                                                                              • String ID: Inno Setup: No Icons
                                                                              • API String ID: 1576479698-2016326496
                                                                              • Opcode ID: e0e38617d7780f69d75f26860b1501b2527d54a68fe4bf3310a8a6dfd5a7631c
                                                                              • Instruction ID: 05ef73584c9e0c756a5fead926ccd29af3c260b6948a855c27afe474e1c18ecb
                                                                              • Opcode Fuzzy Hash: e0e38617d7780f69d75f26860b1501b2527d54a68fe4bf3310a8a6dfd5a7631c
                                                                              • Instruction Fuzzy Hash: B2012B36F5A77179F73046256D02BBB56888B82B60F68453BF940EA2C0D6589C04C36E
                                                                              Function 00497234 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004555D0: GetCurrentProcess.KERNEL32(00000028), ref: 004555DF
                                                                                • Part of subcall function 004555D0: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555E5
                                                                              • SetForegroundWindow.USER32(?), ref: 00497266
                                                                              Strings
                                                                              • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 00497291
                                                                              • Restarting Windows., xrefs: 00497243
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CurrentForegroundOpenTokenWindow
                                                                              • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                                                              • API String ID: 3179053593-4147564754
                                                                              • Opcode ID: 699fd1f27132e499a72d678966239612eac8b61dfe9d57f4c88cf0c32b356d0f
                                                                              • Instruction ID: f042dff5c045186d33be5417afa4f05d679b9763972d2bb00463d131ea403ed4
                                                                              • Opcode Fuzzy Hash: 699fd1f27132e499a72d678966239612eac8b61dfe9d57f4c88cf0c32b356d0f
                                                                              • Instruction Fuzzy Hash: FD01D8706282406BEB00EB65E981B9C3F99AB5430CF5040BBF900A72D3D73C9945871D
                                                                              Function 004979D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0047CD84: FreeLibrary.KERNEL32(6FFF0000,004814B7), ref: 0047CD9A
                                                                                • Part of subcall function 0047CA54: GetTickCount.KERNEL32 ref: 0047CA9E
                                                                                • Part of subcall function 004570CC: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004570EB
                                                                              • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049832B), ref: 00497A29
                                                                              • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049832B), ref: 00497A2F
                                                                              Strings
                                                                              • Detected restart. Removing temporary directory., xrefs: 004979E3
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                              • String ID: Detected restart. Removing temporary directory.
                                                                              • API String ID: 1717587489-3199836293
                                                                              • Opcode ID: e611eeaa9fed28cadb8c69ef2edffd8a52967f1f4ce985551ff58b7f7fd4f302
                                                                              • Instruction ID: 93f06bea8fcfa1b224d7ac257058da4e76460d04d1e35911cc499d3d1c0dfa98
                                                                              • Opcode Fuzzy Hash: e611eeaa9fed28cadb8c69ef2edffd8a52967f1f4ce985551ff58b7f7fd4f302
                                                                              • Instruction Fuzzy Hash: 51E0553120C3002EDA02B7B2BC52A2F7F8CD701728311083BF40882452C43D1810C77D
                                                                              Function 00455660 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.3713948331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000002.00000002.3713521785.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717126566.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717215641.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3717256634.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000002.00000002.3719143365.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_400000_Ui6sm6N5JG.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastSleep
                                                                              • String ID:
                                                                              • API String ID: 1458359878-0
                                                                              • Opcode ID: 11e49af8eca5aab8e77903997d46822470632a6293514e89f51700c73713890d
                                                                              • Instruction ID: a2606c7dd4c17da0a3c90c20a229de96912268129783a4208f21052e6a4fbdd3
                                                                              • Opcode Fuzzy Hash: 11e49af8eca5aab8e77903997d46822470632a6293514e89f51700c73713890d
                                                                              • Instruction Fuzzy Hash: 62F02436B01D64578F20A59E998193F63DDEA94376750013BFC0CDB303D438CC098AA9

                                                                              Execution Graph

                                                                              Execution Coverage:4.2%
                                                                              Dynamic/Decrypted Code Coverage:83.6%
                                                                              Signature Coverage:3.5%
                                                                              Total number of Nodes:2000
                                                                              Total number of Limit Nodes:37
                                                                              execution_graph 18105 40b181 CopyFileA 18106 40278e 18105->18106 18107 402142 18108 4022f3 18107->18108 18112 2cf3c52 18108->18112 18113 2cf3c5b 18112->18113 18114 2cf3c60 18112->18114 18126 2cfb821 18113->18126 18118 2cf3c75 18114->18118 18117 40b5fb Sleep 18119 2cf3c81 _doexit 18118->18119 18123 2cf3ccf ___DllMainCRTStartup 18119->18123 18125 2cf3d2c _doexit 18119->18125 18130 2cf3ae0 18119->18130 18121 2cf3d09 18122 2cf3ae0 __CRT_INIT@12 138 API calls 18121->18122 18121->18125 18122->18125 18123->18121 18124 2cf3ae0 __CRT_INIT@12 138 API calls 18123->18124 18123->18125 18124->18121 18125->18117 18127 2cfb844 18126->18127 18128 2cfb851 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 18126->18128 18127->18128 18129 2cfb848 18127->18129 18128->18129 18129->18114 18131 2cf3aec _doexit 18130->18131 18132 2cf3b6e 18131->18132 18133 2cf3af4 18131->18133 18135 2cf3bd7 18132->18135 18136 2cf3b72 18132->18136 18178 2cf8126 GetProcessHeap 18133->18178 18138 2cf3bdc 18135->18138 18139 2cf3c3a 18135->18139 18141 2cf3b93 18136->18141 18172 2cf3afd _doexit __CRT_INIT@12 18136->18172 18279 2cf839b 18136->18279 18137 2cf3af9 18137->18172 18179 2cf5cd4 18137->18179 18310 2cf910b 18138->18310 18139->18172 18338 2cf5b64 18139->18338 18282 2cf8272 RtlDecodePointer 18141->18282 18143 2cf3be7 18143->18172 18313 2cf89ac 18143->18313 18147 2cf3b09 __RTC_Initialize 18155 2cf3b19 GetCommandLineA 18147->18155 18147->18172 18150 2cf3ba9 __CRT_INIT@12 18306 2cf3bc2 18150->18306 18152 2cfb4bf __ioterm 60 API calls 18154 2cf3ba4 18152->18154 18157 2cf5d4a __mtterm 62 API calls 18154->18157 18200 2cfb8bd GetEnvironmentStringsW 18155->18200 18157->18150 18159 2cf3c10 18161 2cf3c2e 18159->18161 18162 2cf3c16 18159->18162 18332 2cf2eb4 18161->18332 18322 2cf5c21 18162->18322 18166 2cf3b33 18168 2cf3b37 18166->18168 18232 2cfb511 18166->18232 18167 2cf3c1e GetCurrentThreadId 18167->18172 18265 2cf5d4a 18168->18265 18172->18123 18173 2cf3b57 18173->18172 18274 2cfb4bf 18173->18274 18178->18137 18346 2cf8442 RtlEncodePointer 18179->18346 18181 2cf5cd9 18351 2cf895e 18181->18351 18184 2cf5ce2 18185 2cf5d4a __mtterm 62 API calls 18184->18185 18187 2cf5ce7 18185->18187 18187->18147 18189 2cf5cff 18190 2cf89ac __calloc_crt 59 API calls 18189->18190 18191 2cf5d0c 18190->18191 18192 2cf5d41 18191->18192 18194 2cf912a __freeptd TlsSetValue 18191->18194 18193 2cf5d4a __mtterm 62 API calls 18192->18193 18196 2cf5d46 18193->18196 18195 2cf5d20 18194->18195 18195->18192 18197 2cf5d26 18195->18197 18196->18147 18198 2cf5c21 __initptd 59 API calls 18197->18198 18199 2cf5d2e GetCurrentThreadId 18198->18199 18199->18147 18201 2cf3b29 18200->18201 18202 2cfb8d0 WideCharToMultiByte 18200->18202 18213 2cfb20b 18201->18213 18204 2cfb93a FreeEnvironmentStringsW 18202->18204 18205 2cfb903 18202->18205 18204->18201 18362 2cf89f4 18205->18362 18208 2cfb910 WideCharToMultiByte 18209 2cfb92f FreeEnvironmentStringsW 18208->18209 18210 2cfb926 18208->18210 18209->18201 18211 2cf2eb4 _free 59 API calls 18210->18211 18212 2cfb92c 18211->18212 18212->18209 18214 2cfb217 _doexit 18213->18214 18215 2cf882d __lock 59 API calls 18214->18215 18216 2cfb21e 18215->18216 18217 2cf89ac __calloc_crt 59 API calls 18216->18217 18219 2cfb22f 18217->18219 18218 2cfb29a GetStartupInfoW 18226 2cfb2af 18218->18226 18229 2cfb3de 18218->18229 18219->18218 18220 2cfb23a _doexit @_EH4_CallFilterFunc@8 18219->18220 18220->18166 18221 2cfb4a6 18615 2cfb4b6 18221->18615 18223 2cf89ac __calloc_crt 59 API calls 18223->18226 18224 2cfb42b GetStdHandle 18224->18229 18225 2cfb43e GetFileType 18225->18229 18226->18223 18227 2cfb2fd 18226->18227 18226->18229 18228 2cfb331 GetFileType 18227->18228 18227->18229 18230 2cf914c __mtinitlocks InitializeCriticalSectionAndSpinCount 18227->18230 18228->18227 18229->18221 18229->18224 18229->18225 18231 2cf914c __mtinitlocks InitializeCriticalSectionAndSpinCount 18229->18231 18230->18227 18231->18229 18233 2cfb51f 18232->18233 18234 2cfb524 GetModuleFileNameA 18232->18234 18625 2cf51ca 18233->18625 18236 2cfb551 18234->18236 18619 2cfb5c4 18236->18619 18238 2cf3b43 18238->18173 18243 2cfb740 18238->18243 18240 2cf89f4 __malloc_crt 59 API calls 18241 2cfb58a 18240->18241 18241->18238 18242 2cfb5c4 _parse_cmdline 59 API calls 18241->18242 18242->18238 18244 2cfb749 18243->18244 18247 2cfb74e _strlen 18243->18247 18245 2cf51ca ___initmbctable 71 API calls 18244->18245 18245->18247 18246 2cf3b4c 18246->18173 18259 2cf83aa 18246->18259 18247->18246 18248 2cf89ac __calloc_crt 59 API calls 18247->18248 18251 2cfb784 _strlen 18248->18251 18249 2cfb7d6 18250 2cf2eb4 _free 59 API calls 18249->18250 18250->18246 18251->18246 18251->18249 18252 2cf89ac __calloc_crt 59 API calls 18251->18252 18253 2cfb7fd 18251->18253 18256 2cfb814 18251->18256 18789 2cf6bfc 18251->18789 18252->18251 18255 2cf2eb4 _free 59 API calls 18253->18255 18255->18246 18257 2cf4e45 __invoke_watson 8 API calls 18256->18257 18258 2cfb820 18257->18258 18260 2cf83b6 __IsNonwritableInCurrentImage 18259->18260 18798 2cfd21f 18260->18798 18262 2cf83d4 __initterm_e 18264 2cf83f3 __cinit __IsNonwritableInCurrentImage 18262->18264 18801 2cf32e7 18262->18801 18264->18173 18266 2cf5d54 18265->18266 18268 2cf5d5a 18265->18268 18867 2cf90ec 18266->18867 18269 2cf8877 RtlDeleteCriticalSection 18268->18269 18270 2cf8893 18268->18270 18271 2cf2eb4 _free 59 API calls 18269->18271 18272 2cf889f RtlDeleteCriticalSection 18270->18272 18273 2cf88b2 18270->18273 18271->18268 18272->18270 18273->18172 18277 2cfb4c6 18274->18277 18275 2cfb50e 18275->18168 18276 2cf2eb4 _free 59 API calls 18276->18277 18277->18275 18277->18276 18278 2cfb4df RtlDeleteCriticalSection 18277->18278 18278->18277 18280 2cf84e4 _doexit 59 API calls 18279->18280 18281 2cf83a6 18280->18281 18281->18141 18283 2cf828c 18282->18283 18284 2cf829e 18282->18284 18283->18284 18286 2cf2eb4 _free 59 API calls 18283->18286 18285 2cf2eb4 _free 59 API calls 18284->18285 18287 2cf82ab 18285->18287 18286->18283 18288 2cf82cf 18287->18288 18291 2cf2eb4 _free 59 API calls 18287->18291 18289 2cf2eb4 _free 59 API calls 18288->18289 18290 2cf82db 18289->18290 18292 2cf2eb4 _free 59 API calls 18290->18292 18291->18287 18293 2cf82ec 18292->18293 18294 2cf2eb4 _free 59 API calls 18293->18294 18295 2cf82f7 18294->18295 18296 2cf831c RtlEncodePointer 18295->18296 18298 2cf2eb4 _free 59 API calls 18295->18298 18297 2cf8331 18296->18297 18304 2cf8337 18296->18304 18299 2cf2eb4 _free 59 API calls 18297->18299 18303 2cf831b 18298->18303 18299->18304 18300 2cf2eb4 _free 59 API calls 18302 2cf834d 18300->18302 18301 2cf3b98 18301->18150 18301->18152 18302->18301 18305 2cf2eb4 _free 59 API calls 18302->18305 18303->18296 18304->18300 18304->18302 18305->18301 18307 2cf3bd4 18306->18307 18308 2cf3bc6 18306->18308 18307->18172 18308->18307 18309 2cf5d4a __mtterm 62 API calls 18308->18309 18309->18307 18311 2cf911e 18310->18311 18312 2cf9122 TlsGetValue 18310->18312 18311->18143 18312->18143 18316 2cf89b3 18313->18316 18315 2cf3bf8 18315->18172 18319 2cf912a 18315->18319 18316->18315 18318 2cf89d1 18316->18318 18870 2d003f8 18316->18870 18318->18315 18318->18316 18878 2cf9445 Sleep 18318->18878 18320 2cf9144 TlsSetValue 18319->18320 18321 2cf9140 18319->18321 18320->18159 18321->18159 18323 2cf5c2d _doexit 18322->18323 18324 2cf882d __lock 59 API calls 18323->18324 18325 2cf5c6a 18324->18325 18879 2cf5cc2 18325->18879 18328 2cf882d __lock 59 API calls 18329 2cf5c8b ___addlocaleref 18328->18329 18882 2cf5ccb 18329->18882 18331 2cf5cb6 _doexit 18331->18167 18333 2cf2ebd HeapFree 18332->18333 18334 2cf2ee6 _free 18332->18334 18333->18334 18335 2cf2ed2 18333->18335 18334->18172 18336 2cf5d9b __cftog_l 57 API calls 18335->18336 18337 2cf2ed8 GetLastError 18336->18337 18337->18334 18339 2cf5b97 18338->18339 18340 2cf5b71 18338->18340 18339->18172 18341 2cf5b7f 18340->18341 18342 2cf910b __freeptd TlsGetValue 18340->18342 18343 2cf912a __freeptd TlsSetValue 18341->18343 18342->18341 18344 2cf5b8f 18343->18344 18887 2cf5a2f 18344->18887 18347 2cf8453 __init_pointers __initp_misc_winsig 18346->18347 18358 2cf394a RtlEncodePointer 18347->18358 18349 2cf846b __init_pointers 18350 2cf91ba 34 API calls 18349->18350 18350->18181 18352 2cf896a 18351->18352 18353 2cf5cde 18352->18353 18359 2cf914c 18352->18359 18353->18184 18355 2cf90ce 18353->18355 18356 2cf5cf4 18355->18356 18357 2cf90e5 TlsAlloc 18355->18357 18356->18184 18356->18189 18358->18349 18360 2cf915c 18359->18360 18361 2cf9169 InitializeCriticalSectionAndSpinCount 18359->18361 18360->18352 18361->18352 18364 2cf8a02 18362->18364 18365 2cf8a34 18364->18365 18367 2cf2eec 18364->18367 18384 2cf9445 Sleep 18364->18384 18365->18204 18365->18208 18368 2cf2f67 18367->18368 18373 2cf2ef8 18367->18373 18369 2cf8143 __calloc_impl RtlDecodePointer 18368->18369 18371 2cf2f6d 18369->18371 18370 2cf2f03 18370->18373 18385 2cf8613 18370->18385 18394 2cf8670 18370->18394 18429 2cf825c 18370->18429 18374 2cf5d9b __cftog_l 58 API calls 18371->18374 18373->18370 18375 2cf2f2b RtlAllocateHeap 18373->18375 18378 2cf2f53 18373->18378 18382 2cf2f51 18373->18382 18432 2cf8143 RtlDecodePointer 18373->18432 18376 2cf2f5f 18374->18376 18375->18373 18375->18376 18376->18364 18434 2cf5d9b 18378->18434 18383 2cf5d9b __cftog_l 58 API calls 18382->18383 18383->18376 18384->18364 18437 2d000be 18385->18437 18387 2cf861a 18388 2cf8627 18387->18388 18389 2d000be __NMSG_WRITE 59 API calls 18387->18389 18390 2cf8670 __NMSG_WRITE 59 API calls 18388->18390 18392 2cf8649 18388->18392 18389->18388 18391 2cf863f 18390->18391 18393 2cf8670 __NMSG_WRITE 59 API calls 18391->18393 18392->18370 18393->18392 18395 2cf868e __NMSG_WRITE 18394->18395 18397 2d000be __NMSG_WRITE 55 API calls 18395->18397 18428 2cf87b5 18395->18428 18399 2cf86a1 18397->18399 18398 2cf881e 18398->18370 18400 2cf87ba GetStdHandle 18399->18400 18401 2d000be __NMSG_WRITE 55 API calls 18399->18401 18404 2cf87c8 _strlen 18400->18404 18400->18428 18402 2cf86b2 18401->18402 18402->18400 18403 2cf86c4 18402->18403 18403->18428 18453 2cff47d 18403->18453 18406 2cf8801 WriteFile 18404->18406 18404->18428 18406->18428 18408 2cf8822 18512 2cf4e45 IsProcessorFeaturePresent 18408->18512 18409 2cf86f1 GetModuleFileNameW 18410 2cf8711 18409->18410 18415 2cf8721 __NMSG_WRITE 18409->18415 18412 2cff47d __NMSG_WRITE 55 API calls 18410->18412 18412->18415 18414 2cf8851 RtlEnterCriticalSection 18414->18370 18415->18408 18422 2cf8767 18415->18422 18462 2cff4f2 18415->18462 18422->18408 18471 2cff411 18422->18471 18423 2cff411 __NMSG_WRITE 55 API calls 18425 2cf879e 18423->18425 18425->18408 18426 2cf87a5 18425->18426 18480 2d000fe RtlEncodePointer 18426->18480 18505 2cf448b 18428->18505 18598 2cf8228 GetModuleHandleExW 18429->18598 18433 2cf8156 18432->18433 18433->18373 18601 2cf5bb2 GetLastError 18434->18601 18436 2cf5da0 18436->18382 18438 2d000c8 18437->18438 18439 2cf5d9b __cftog_l 59 API calls 18438->18439 18440 2d000d2 18438->18440 18441 2d000ee 18439->18441 18440->18387 18444 2cf4e35 18441->18444 18447 2cf4e0a RtlDecodePointer 18444->18447 18448 2cf4e1d 18447->18448 18449 2cf4e45 __invoke_watson 8 API calls 18448->18449 18450 2cf4e34 18449->18450 18451 2cf4e0a __cftog_l 8 API calls 18450->18451 18452 2cf4e41 18451->18452 18452->18387 18454 2cff488 18453->18454 18456 2cff496 18453->18456 18454->18456 18459 2cff4af 18454->18459 18455 2cf5d9b __cftog_l 59 API calls 18457 2cff4a0 18455->18457 18456->18455 18458 2cf4e35 __cftog_l 9 API calls 18457->18458 18460 2cf86e4 18458->18460 18459->18460 18461 2cf5d9b __cftog_l 59 API calls 18459->18461 18460->18408 18460->18409 18461->18457 18463 2cff500 18462->18463 18466 2cff504 18463->18466 18468 2cff509 18463->18468 18469 2cff543 18463->18469 18464 2cf5d9b __cftog_l 59 API calls 18465 2cff534 18464->18465 18467 2cf4e35 __cftog_l 9 API calls 18465->18467 18466->18464 18466->18468 18467->18468 18468->18422 18469->18468 18470 2cf5d9b __cftog_l 59 API calls 18469->18470 18470->18465 18472 2cff42b 18471->18472 18475 2cff41d 18471->18475 18473 2cf5d9b __cftog_l 59 API calls 18472->18473 18474 2cff435 18473->18474 18476 2cf4e35 __cftog_l 9 API calls 18474->18476 18475->18472 18478 2cff457 18475->18478 18477 2cf8787 18476->18477 18477->18408 18477->18423 18478->18477 18479 2cf5d9b __cftog_l 59 API calls 18478->18479 18479->18474 18481 2d00132 ___crtIsPackagedApp 18480->18481 18482 2d001f1 IsDebuggerPresent 18481->18482 18483 2d00141 LoadLibraryExW 18481->18483 18486 2d00216 18482->18486 18487 2d001fb 18482->18487 18484 2d00158 GetLastError 18483->18484 18485 2d0017e GetProcAddress 18483->18485 18506 2cf4495 IsProcessorFeaturePresent 18505->18506 18507 2cf4493 18505->18507 18509 2cf94cf 18506->18509 18507->18398 18547 2cf947e IsDebuggerPresent 18509->18547 18513 2cf4e50 18512->18513 18555 2cf4cd8 18513->18555 18517 2cf4e6b 18517->18414 18518 2cf88b5 18517->18518 18519 2cf88c1 _doexit 18518->18519 18548 2cf9493 __call_reportfault 18547->18548 18553 2cf9468 SetUnhandledExceptionFilter UnhandledExceptionFilter 18548->18553 18550 2cf949b __call_reportfault 18554 2cf9453 GetCurrentProcess TerminateProcess 18550->18554 18552 2cf94b8 18552->18398 18553->18550 18554->18552 18556 2cf4cf2 _memset __call_reportfault 18555->18556 18557 2cf4d12 IsDebuggerPresent 18556->18557 18563 2cf9468 SetUnhandledExceptionFilter UnhandledExceptionFilter 18557->18563 18559 2cf4dd6 __call_reportfault 18560 2cf448b __cftog_l 6 API calls 18559->18560 18561 2cf4df9 18560->18561 18562 2cf9453 GetCurrentProcess TerminateProcess 18561->18562 18562->18517 18563->18559 18599 2cf8253 ExitProcess 18598->18599 18600 2cf8241 GetProcAddress 18598->18600 18600->18599 18602 2cf910b __freeptd TlsGetValue 18601->18602 18603 2cf5bc7 18602->18603 18604 2cf5c15 SetLastError 18603->18604 18605 2cf89ac __calloc_crt 56 API calls 18603->18605 18604->18436 18606 2cf5bda 18605->18606 18606->18604 18607 2cf912a __freeptd TlsSetValue 18606->18607 18608 2cf5bee 18607->18608 18609 2cf5c0c 18608->18609 18610 2cf5bf4 18608->18610 18612 2cf2eb4 _free 56 API calls 18609->18612 18611 2cf5c21 __initptd 56 API calls 18610->18611 18613 2cf5bfc GetCurrentThreadId 18611->18613 18614 2cf5c12 18612->18614 18613->18604 18614->18604 18618 2cf8997 RtlLeaveCriticalSection 18615->18618 18617 2cfb4bd 18617->18220 18618->18617 18620 2cfb5e6 18619->18620 18624 2cfb64a 18620->18624 18629 2d01516 18620->18629 18622 2cfb567 18622->18238 18622->18240 18623 2d01516 _parse_cmdline 59 API calls 18623->18624 18624->18622 18624->18623 18626 2cf51da 18625->18626 18627 2cf51d3 18625->18627 18626->18234 18685 2cf5527 18627->18685 18632 2d014bc 18629->18632 18635 2cf21bb 18632->18635 18636 2cf21cc 18635->18636 18642 2cf2219 18635->18642 18643 2cf5b9a 18636->18643 18639 2cf21f9 18639->18642 18663 2cf5481 18639->18663 18642->18620 18644 2cf5bb2 __getptd_noexit 59 API calls 18643->18644 18645 2cf5ba0 18644->18645 18646 2cf21d2 18645->18646 18647 2cf837f __amsg_exit 59 API calls 18645->18647 18646->18639 18648 2cf50ff 18646->18648 18647->18646 18649 2cf510b _doexit 18648->18649 18650 2cf5b9a ___InternalCxxFrameHandler 59 API calls 18649->18650 18651 2cf5114 18650->18651 18652 2cf5143 18651->18652 18654 2cf5127 18651->18654 18653 2cf882d __lock 59 API calls 18652->18653 18655 2cf514a 18653->18655 18656 2cf5b9a ___InternalCxxFrameHandler 59 API calls 18654->18656 18675 2cf517f 18655->18675 18658 2cf512c 18656->18658 18661 2cf513a _doexit 18658->18661 18662 2cf837f __amsg_exit 59 API calls 18658->18662 18661->18639 18662->18661 18664 2cf548d _doexit 18663->18664 18665 2cf5b9a ___InternalCxxFrameHandler 59 API calls 18664->18665 18666 2cf5497 18665->18666 18667 2cf882d __lock 59 API calls 18666->18667 18668 2cf54a9 18666->18668 18673 2cf54c7 18667->18673 18670 2cf54b7 _doexit 18668->18670 18672 2cf837f __amsg_exit 59 API calls 18668->18672 18669 2cf54f4 18682 2cf551e 18669->18682 18670->18642 18672->18670 18673->18669 18674 2cf2eb4 _free 59 API calls 18673->18674 18674->18669 18676 2cf518a ___addlocaleref ___removelocaleref 18675->18676 18678 2cf515e 18675->18678 18677 2cf4f05 ___freetlocinfo 59 API calls 18676->18677 18676->18678 18677->18678 18679 2cf5176 18678->18679 18683 2cf8997 _doexit RtlLeaveCriticalSection 18682->18683 18686 2cf5533 _doexit 18685->18686 18687 2cf5b9a ___InternalCxxFrameHandler 59 API calls 18686->18687 18688 2cf553b 18687->18688 18689 2cf5481 _LocaleUpdate::_LocaleUpdate 59 API calls 18688->18689 18690 2cf5545 18689->18690 18710 2cf5222 18690->18710 18693 2cf89f4 __malloc_crt 59 API calls 18694 2cf5567 18693->18694 18695 2cf5694 _doexit 18694->18695 18717 2cf56cf 18694->18717 18695->18626 18699 2cf56a4 18699->18695 18700 2cf559d 18711 2cf21bb _LocaleUpdate::_LocaleUpdate 59 API calls 18710->18711 18712 2cf5232 18711->18712 18713 2cf5253 18712->18713 18714 2cf5241 GetOEMCP 18712->18714 18715 2cf5258 GetACP 18713->18715 18716 2cf526a 18713->18716 18714->18716 18715->18716 18716->18693 18716->18695 18718 2cf5222 getSystemCP 61 API calls 18717->18718 18719 2cf56ec 18718->18719 18722 2cf573d IsValidCodePage 18719->18722 18724 2cf56f3 setSBCS 18719->18724 18726 2cf5762 _memset __setmbcp_nolock 18719->18726 18720 2cf448b __cftog_l 6 API calls 18721 2cf558e 18720->18721 18721->18699 18721->18700 18723 2cf574f GetCPInfo 18722->18723 18722->18724 18723->18724 18723->18726 18724->18720 18730 2cf52ef GetCPInfo 18726->18730 18731 2cf53d1 18730->18731 18735 2cf5327 18730->18735 18734 2cf448b __cftog_l 6 API calls 18731->18734 18740 2cfdb5d 18735->18740 18791 2cf6c07 18789->18791 18793 2cf6c15 18789->18793 18790 2cf5d9b __cftog_l 59 API calls 18792 2cf6c1c 18790->18792 18791->18793 18796 2cf6c2b 18791->18796 18794 2cf4e35 __cftog_l 9 API calls 18792->18794 18793->18790 18795 2cf6c26 18794->18795 18795->18251 18796->18795 18797 2cf5d9b __cftog_l 59 API calls 18796->18797 18797->18792 18799 2cfd222 RtlEncodePointer 18798->18799 18799->18799 18800 2cfd23c 18799->18800 18800->18262 18804 2cf31eb 18801->18804 18805 2cf31f7 _doexit 18804->18805 18812 2cf84d2 18805->18812 18813 2cf882d __lock 59 API calls 18812->18813 18814 2cf3200 18813->18814 18868 2cf90ff 18867->18868 18869 2cf9103 TlsFree 18867->18869 18868->18268 18869->18268 18871 2d00403 18870->18871 18872 2d0041e 18870->18872 18871->18872 18873 2d0040f 18871->18873 18874 2d0042e RtlAllocateHeap 18872->18874 18876 2d00414 18872->18876 18877 2cf8143 __calloc_impl RtlDecodePointer 18872->18877 18875 2cf5d9b __cftog_l 58 API calls 18873->18875 18874->18872 18874->18876 18875->18876 18876->18316 18877->18872 18878->18318 18885 2cf8997 RtlLeaveCriticalSection 18879->18885 18881 2cf5c84 18881->18328 18886 2cf8997 RtlLeaveCriticalSection 18882->18886 18884 2cf5cd2 18884->18331 18885->18881 18886->18884 18889 2cf5a3b _doexit 18887->18889 18888 2cf5b43 _doexit 18888->18339 18889->18888 18890 2cf5a54 18889->18890 18891 2cf2eb4 _free 59 API calls 18889->18891 18892 2cf5a63 18890->18892 18893 2cf2eb4 _free 59 API calls 18890->18893 18891->18890 18894 2cf5a72 18892->18894 18895 2cf2eb4 _free 59 API calls 18892->18895 18893->18892 18896 2cf5a81 18894->18896 18897 2cf2eb4 _free 59 API calls 18894->18897 18895->18894 18898 2cf5a90 18896->18898 18899 2cf2eb4 _free 59 API calls 18896->18899 18897->18896 18900 2cf5a9f 18898->18900 18901 2cf2eb4 _free 59 API calls 18898->18901 18899->18898 18902 2cf5aae 18900->18902 18903 2cf2eb4 _free 59 API calls 18900->18903 18901->18900 18904 2cf5ac0 18902->18904 18905 2cf2eb4 _free 59 API calls 18902->18905 18903->18902 18906 2cf882d __lock 59 API calls 18904->18906 18905->18904 18909 2cf5ac8 18906->18909 18907 2cf5aeb 18919 2cf5b4f 18907->18919 18909->18907 18911 2cf2eb4 _free 59 API calls 18909->18911 18911->18907 18912 2cf882d __lock 59 API calls 18916 2cf5aff ___removelocaleref 18912->18916 18915 2cf2eb4 _free 59 API calls 18915->18888 18918 2cf5b30 18916->18918 18922 2cf4f05 18916->18922 18952 2cf5b5b 18918->18952 18955 2cf8997 RtlLeaveCriticalSection 18919->18955 18921 2cf5af8 18921->18912 18924 2cf4f7e 18922->18924 18929 2cf4f1a 18922->18929 18923 2cf4fcb 18946 2cf4ff4 18923->18946 18996 2cfd47d 18923->18996 18924->18923 18925 2cf2eb4 _free 59 API calls 18924->18925 18926 2cf4f9f 18925->18926 18931 2cf2eb4 _free 59 API calls 18926->18931 18928 2cf4f4b 18932 2cf4f69 18928->18932 18941 2cf2eb4 _free 59 API calls 18928->18941 18929->18924 18929->18928 18934 2cf2eb4 _free 59 API calls 18929->18934 18936 2cf4fb2 18931->18936 18937 2cf2eb4 _free 59 API calls 18932->18937 18933 2cf2eb4 _free 59 API calls 18933->18946 18938 2cf4f40 18934->18938 18935 2cf5053 18939 2cf2eb4 _free 59 API calls 18935->18939 18940 2cf2eb4 _free 59 API calls 18936->18940 18942 2cf4f73 18937->18942 18956 2cfd31a 18938->18956 18944 2cf5059 18939->18944 18945 2cf4fc0 18940->18945 18947 2cf4f5e 18941->18947 18948 2cf2eb4 _free 59 API calls 18942->18948 18944->18918 18949 2cf2eb4 _free 59 API calls 18945->18949 18946->18935 18950 2cf2eb4 59 API calls _free 18946->18950 18984 2cfd416 18947->18984 18948->18924 18949->18923 18950->18946 19172 2cf8997 RtlLeaveCriticalSection 18952->19172 18954 2cf5b3d 18954->18915 18955->18921 18957 2cfd329 18956->18957 18983 2cfd412 18956->18983 18958 2cfd33a 18957->18958 18959 2cf2eb4 _free 59 API calls 18957->18959 18960 2cfd34c 18958->18960 18961 2cf2eb4 _free 59 API calls 18958->18961 18959->18958 18962 2cf2eb4 _free 59 API calls 18960->18962 18964 2cfd35e 18960->18964 18961->18960 18962->18964 18963 2cfd382 18967 2cfd394 18963->18967 18969 2cf2eb4 _free 59 API calls 18963->18969 18965 2cf2eb4 _free 59 API calls 18964->18965 18968 2cfd370 18964->18968 18965->18968 18966 2cf2eb4 _free 59 API calls 18966->18963 18970 2cfd3a6 18967->18970 18971 2cf2eb4 _free 59 API calls 18967->18971 18968->18963 18968->18966 18969->18967 18972 2cfd3b8 18970->18972 18974 2cf2eb4 _free 59 API calls 18970->18974 18971->18970 18973 2cfd3ca 18972->18973 18975 2cf2eb4 _free 59 API calls 18972->18975 18976 2cfd3dc 18973->18976 18977 2cf2eb4 _free 59 API calls 18973->18977 18974->18972 18975->18973 18978 2cfd3ee 18976->18978 18979 2cf2eb4 _free 59 API calls 18976->18979 18977->18976 18980 2cfd400 18978->18980 18981 2cf2eb4 _free 59 API calls 18978->18981 18979->18978 18982 2cf2eb4 _free 59 API calls 18980->18982 18980->18983 18981->18980 18982->18983 18983->18928 18985 2cfd421 18984->18985 18995 2cfd479 18984->18995 18986 2cf2eb4 _free 59 API calls 18985->18986 18987 2cfd431 18985->18987 18986->18987 18988 2cfd443 18987->18988 18989 2cf2eb4 _free 59 API calls 18987->18989 18990 2cfd455 18988->18990 18991 2cf2eb4 _free 59 API calls 18988->18991 18989->18988 18992 2cfd467 18990->18992 18993 2cf2eb4 _free 59 API calls 18990->18993 18991->18990 18994 2cf2eb4 _free 59 API calls 18992->18994 18992->18995 18993->18992 18994->18995 18995->18932 18997 2cfd48c 18996->18997 18998 2cf4fe9 18996->18998 18999 2cf2eb4 _free 59 API calls 18997->18999 18998->18933 19000 2cfd494 18999->19000 19001 2cf2eb4 _free 59 API calls 19000->19001 19002 2cfd49c 19001->19002 19003 2cf2eb4 _free 59 API calls 19002->19003 19004 2cfd4a4 19003->19004 19005 2cf2eb4 _free 59 API calls 19004->19005 19006 2cfd4ac 19005->19006 19007 2cf2eb4 _free 59 API calls 19006->19007 19008 2cfd4b4 19007->19008 19009 2cf2eb4 _free 59 API calls 19008->19009 19010 2cfd4bc 19009->19010 19011 2cf2eb4 _free 59 API calls 19010->19011 19012 2cfd4c3 19011->19012 19013 2cf2eb4 _free 59 API calls 19012->19013 19014 2cfd4cb 19013->19014 19015 2cf2eb4 _free 59 API calls 19014->19015 19016 2cfd4d3 19015->19016 19017 2cf2eb4 _free 59 API calls 19016->19017 19018 2cfd4db 19017->19018 19019 2cf2eb4 _free 59 API calls 19018->19019 19172->18954 19173 2d386d0 19174 2d4990b ReadFile 19173->19174 19176 2ce104d 19177 2cf32e7 __cinit 68 API calls 19176->19177 19178 2ce1057 19177->19178 19181 2ce1aa9 InterlockedIncrement 19178->19181 19182 2ce105c 19181->19182 19183 2ce1ac5 WSAStartup InterlockedExchange 19181->19183 19183->19182 19184 2ce648b RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 19262 2ce42c7 19184->19262 19263 402647 19266 401f64 FindResourceA 19263->19266 19265 40264c 19267 401f86 GetLastError SizeofResource 19266->19267 19268 401f9f 19266->19268 19267->19268 19269 401fa6 LoadResource LockResource GlobalAlloc 19267->19269 19268->19265 19270 401fd2 19269->19270 19271 401ffb GetTickCount 19270->19271 19273 402005 GlobalAlloc 19271->19273 19273->19268 19274 40b389 lstrcmpiW 19275 40224f lstrcmpiW 19277 4022e8 19275->19277 19276 40ba56 StartServiceCtrlDispatcherA 19279 40ba5d 19276->19279 19278 40ba94 19277->19278 19280 40b3cb SetEvent 19277->19280 19281 40b3d7 19277->19281 19279->19279 19280->19281 19281->19276 19282 2d2fec1 19283 2d31738 CreateFileA 19282->19283 19285 2d1e002 19286 2d1e080 19285->19286 19287 2d1e009 19285->19287 19289 2d1fa26 DeleteFileA 19286->19289 19290 2d24646 19289->19290 19291 2cef8da LoadLibraryA 19292 2cef9bd 19291->19292 19293 2cef903 GetProcAddress 19291->19293 19294 2cef9b6 FreeLibrary 19293->19294 19295 2cef917 19293->19295 19294->19292 19296 2cef929 GetAdaptersInfo 19295->19296 19297 2cef9b1 19295->19297 19299 2cf3a8f 19295->19299 19296->19295 19297->19294 19301 2cf3a97 19299->19301 19300 2cf2eec _malloc 59 API calls 19300->19301 19301->19300 19302 2cf3ab1 19301->19302 19303 2cf8143 __calloc_impl RtlDecodePointer 19301->19303 19304 2cf3ab5 std::exception::exception 19301->19304 19302->19295 19303->19301 19307 2cf449a 19304->19307 19306 2cf3adf 19308 2cf44b9 RaiseException 19307->19308 19308->19306 19310 402794 19311 40b84f RegCloseKey 19310->19311 19312 402616 19313 40b880 RegOpenKeyExA 19312->19313 19314 4021f0 19312->19314 19313->19314 19315 2cef7d6 CreateFileA 19316 2cef8d2 19315->19316 19320 2cef807 19315->19320 19317 2cef81f DeviceIoControl 19317->19320 19318 2cef8c8 CloseHandle 19318->19316 19319 2cef894 GetLastError 19319->19318 19319->19320 19320->19317 19320->19318 19320->19319 19321 2cf3a8f _Allocate 60 API calls 19320->19321 19321->19320 19322 402d60 GetVersion 19346 4039f0 HeapCreate 19322->19346 19324 402dbf 19325 402dc4 19324->19325 19326 402dcc 19324->19326 19421 402e7b 19325->19421 19358 4036d0 19326->19358 19329 402dd4 GetCommandLineA 19372 40359e 19329->19372 19334 402dee 19404 403298 19334->19404 19336 402df3 19337 402df8 GetStartupInfoA 19336->19337 19417 403240 19337->19417 19339 402e0a GetModuleHandleA 19341 402e2e 19339->19341 19427 402fe7 19341->19427 19347 403a10 19346->19347 19348 403a46 19346->19348 19434 4038a8 19347->19434 19348->19324 19351 403a2c 19354 403a49 19351->19354 19448 404618 19351->19448 19352 403a1f 19446 403dc7 HeapAlloc 19352->19446 19354->19324 19355 403a29 19355->19354 19357 403a3a HeapDestroy 19355->19357 19357->19348 19511 402e9f 19358->19511 19361 4036ef GetStartupInfoA 19368 403800 19361->19368 19371 40373b 19361->19371 19364 403867 SetHandleCount 19364->19329 19365 403827 GetStdHandle 19367 403835 GetFileType 19365->19367 19365->19368 19366 402e9f 12 API calls 19366->19371 19367->19368 19368->19364 19368->19365 19369 4037ac 19369->19368 19370 4037ce GetFileType 19369->19370 19370->19369 19371->19366 19371->19368 19371->19369 19373 4035b9 GetEnvironmentStringsW 19372->19373 19374 4035ec 19372->19374 19375 4035c1 19373->19375 19376 4035cd GetEnvironmentStrings 19373->19376 19374->19375 19377 4035dd 19374->19377 19379 4035f9 GetEnvironmentStringsW 19375->19379 19382 403605 19375->19382 19376->19377 19378 402de4 19376->19378 19377->19378 19380 40367f GetEnvironmentStrings 19377->19380 19383 40368b 19377->19383 19395 403351 19378->19395 19379->19378 19379->19382 19380->19378 19380->19383 19381 40361a WideCharToMultiByte 19384 403639 19381->19384 19385 40366b FreeEnvironmentStringsW 19381->19385 19382->19381 19382->19382 19383->19383 19386 402e9f 12 API calls 19383->19386 19387 402e9f 12 API calls 19384->19387 19385->19378 19393 4036a6 19386->19393 19388 40363f 19387->19388 19388->19385 19389 403648 WideCharToMultiByte 19388->19389 19391 403662 19389->19391 19392 403659 19389->19392 19390 4036bc FreeEnvironmentStringsA 19390->19378 19391->19385 19577 402f51 19392->19577 19393->19390 19396 403363 19395->19396 19397 403368 GetModuleFileNameA 19395->19397 19607 405042 19396->19607 19399 40338b 19397->19399 19400 402e9f 12 API calls 19399->19400 19401 4033ac 19400->19401 19402 402e56 7 API calls 19401->19402 19403 4033bc 19401->19403 19402->19403 19403->19334 19405 4032a5 19404->19405 19407 4032aa 19404->19407 19406 405042 19 API calls 19405->19406 19406->19407 19408 402e9f 12 API calls 19407->19408 19409 4032d7 19408->19409 19410 402e56 7 API calls 19409->19410 19411 4032eb 19409->19411 19410->19411 19414 40332e 19411->19414 19415 402e9f 12 API calls 19411->19415 19416 402e56 7 API calls 19411->19416 19412 402f51 7 API calls 19413 40333a 19412->19413 19413->19336 19414->19412 19415->19411 19416->19411 19418 403249 19417->19418 19420 40324e 19417->19420 19419 405042 19 API calls 19418->19419 19419->19420 19420->19339 19422 402e84 19421->19422 19423 402e89 19421->19423 19424 403c20 7 API calls 19422->19424 19425 403c59 7 API calls 19423->19425 19424->19423 19426 402e92 ExitProcess 19425->19426 19631 403009 19427->19631 19430 4030bc 19431 4030c8 19430->19431 19432 4031f1 UnhandledExceptionFilter 19431->19432 19433 402e48 19431->19433 19432->19433 19457 402c40 19434->19457 19437 4038d1 19438 4038eb GetEnvironmentVariableA 19437->19438 19440 4038e3 19437->19440 19439 4039c8 19438->19439 19442 40390a 19438->19442 19439->19440 19462 40387b GetModuleHandleA 19439->19462 19440->19351 19440->19352 19443 40394f GetModuleFileNameA 19442->19443 19445 403947 19442->19445 19443->19445 19445->19439 19459 40505e 19445->19459 19447 403de3 19446->19447 19447->19355 19449 404625 19448->19449 19450 40462c HeapAlloc 19448->19450 19451 404649 VirtualAlloc 19449->19451 19450->19451 19456 404681 19450->19456 19452 404669 VirtualAlloc 19451->19452 19453 40473e 19451->19453 19454 404730 VirtualFree 19452->19454 19452->19456 19455 404746 HeapFree 19453->19455 19453->19456 19454->19453 19455->19456 19456->19355 19458 402c4c GetVersionExA 19457->19458 19458->19437 19458->19438 19464 405075 19459->19464 19463 403892 19462->19463 19463->19440 19466 40508d 19464->19466 19468 4050bd 19466->19468 19471 405d39 19466->19471 19467 405d39 6 API calls 19467->19468 19468->19467 19470 405071 19468->19470 19475 405c6d 19468->19475 19470->19439 19472 405d57 19471->19472 19473 405d4b 19471->19473 19481 405b24 19472->19481 19473->19466 19477 405c98 19475->19477 19480 405c7b 19475->19480 19476 405cb4 19476->19480 19493 4058d5 19476->19493 19477->19476 19478 405d39 6 API calls 19477->19478 19478->19476 19480->19468 19482 405b6d 19481->19482 19483 405b55 GetStringTypeW 19481->19483 19485 405b98 GetStringTypeA 19482->19485 19486 405bbc 19482->19486 19483->19482 19484 405b71 GetStringTypeA 19483->19484 19484->19482 19487 405c59 19484->19487 19485->19487 19486->19487 19489 405bd2 MultiByteToWideChar 19486->19489 19487->19473 19489->19487 19490 405bf6 19489->19490 19490->19487 19491 405c30 MultiByteToWideChar 19490->19491 19491->19487 19492 405c49 GetStringTypeW 19491->19492 19492->19487 19494 405905 LCMapStringW 19493->19494 19495 405921 19493->19495 19494->19495 19496 405929 LCMapStringA 19494->19496 19497 405987 19495->19497 19498 40596a LCMapStringA 19495->19498 19496->19495 19505 405a63 19496->19505 19499 40599d MultiByteToWideChar 19497->19499 19497->19505 19498->19505 19500 4059c7 19499->19500 19499->19505 19501 4059fd MultiByteToWideChar 19500->19501 19500->19505 19502 405a16 LCMapStringW 19501->19502 19501->19505 19503 405a31 19502->19503 19502->19505 19504 405a37 19503->19504 19507 405a77 19503->19507 19504->19505 19506 405a45 LCMapStringW 19504->19506 19505->19480 19506->19505 19507->19505 19508 405aaf LCMapStringW 19507->19508 19508->19505 19509 405ac7 WideCharToMultiByte 19508->19509 19509->19505 19520 402eb1 19511->19520 19514 402e56 19515 402e64 19514->19515 19516 402e5f 19514->19516 19563 403c59 19515->19563 19557 403c20 19516->19557 19521 402eae 19520->19521 19523 402eb8 19520->19523 19521->19361 19521->19514 19523->19521 19524 402edd 19523->19524 19525 402eec 19524->19525 19527 402f01 19524->19527 19529 402efa 19525->19529 19533 404163 19525->19533 19528 402f40 HeapAlloc 19527->19528 19527->19529 19539 404910 19527->19539 19530 402f4f 19528->19530 19529->19528 19529->19530 19531 402eff 19529->19531 19530->19523 19531->19523 19535 404195 19533->19535 19534 404243 19534->19529 19534->19534 19535->19534 19536 404234 19535->19536 19546 40446c 19535->19546 19536->19534 19553 40451d 19536->19553 19540 40491e 19539->19540 19541 404a0a VirtualAlloc 19540->19541 19542 404adf 19540->19542 19545 4049db 19540->19545 19541->19545 19543 404618 5 API calls 19542->19543 19543->19545 19545->19529 19547 4044af HeapAlloc 19546->19547 19548 40447f HeapReAlloc 19546->19548 19550 4044d5 VirtualAlloc 19547->19550 19552 4044ff 19547->19552 19549 40449e 19548->19549 19548->19552 19549->19547 19551 4044ef HeapFree 19550->19551 19550->19552 19551->19552 19552->19536 19554 40452f VirtualAlloc 19553->19554 19556 404578 19554->19556 19556->19534 19558 403c2a 19557->19558 19559 403c59 7 API calls 19558->19559 19562 403c57 19558->19562 19560 403c41 19559->19560 19561 403c59 7 API calls 19560->19561 19561->19562 19562->19515 19566 403c6c 19563->19566 19564 402e6d 19564->19361 19565 403d83 19569 403d96 GetStdHandle WriteFile 19565->19569 19566->19564 19566->19565 19567 403cac 19566->19567 19567->19564 19568 403cb8 GetModuleFileNameA 19567->19568 19570 403cd0 19568->19570 19569->19564 19572 405408 19570->19572 19573 405415 LoadLibraryA 19572->19573 19575 405457 19572->19575 19574 405426 GetProcAddress 19573->19574 19573->19575 19574->19575 19576 40543d GetProcAddress GetProcAddress 19574->19576 19575->19564 19576->19575 19578 402f5d 19577->19578 19586 402f79 19577->19586 19579 402f67 19578->19579 19580 402f7d 19578->19580 19582 402fa9 HeapFree 19579->19582 19583 402f73 19579->19583 19581 402fa8 19580->19581 19585 402f97 19580->19585 19581->19582 19582->19586 19588 403e3a 19583->19588 19594 4048cb 19585->19594 19586->19391 19590 403e78 19588->19590 19593 40412e 19588->19593 19589 404074 VirtualFree 19591 4040d8 19589->19591 19590->19589 19590->19593 19592 4040e7 VirtualFree HeapFree 19591->19592 19591->19593 19592->19593 19593->19586 19595 4048f8 19594->19595 19596 40490e 19594->19596 19595->19596 19598 4047b2 19595->19598 19596->19586 19601 4047bf 19598->19601 19599 40486f 19599->19596 19600 4047e0 VirtualFree 19600->19601 19601->19599 19601->19600 19603 40475c VirtualFree 19601->19603 19604 404779 19603->19604 19605 4047a9 19604->19605 19606 404789 HeapFree 19604->19606 19605->19601 19606->19601 19608 40504b 19607->19608 19609 405052 19607->19609 19611 404c7e 19608->19611 19609->19397 19618 404e17 19611->19618 19615 404cc1 GetCPInfo 19617 404cd5 19615->19617 19616 404e0b 19616->19609 19617->19616 19623 404ebd GetCPInfo 19617->19623 19619 404e37 19618->19619 19620 404e27 GetOEMCP 19618->19620 19621 404e3c GetACP 19619->19621 19622 404c8f 19619->19622 19620->19619 19621->19622 19622->19615 19622->19616 19622->19617 19627 404ee0 19623->19627 19630 404fa8 19623->19630 19624 405b24 6 API calls 19625 404f5c 19624->19625 19626 4058d5 9 API calls 19625->19626 19628 404f80 19626->19628 19627->19624 19629 4058d5 9 API calls 19628->19629 19629->19630 19630->19616 19632 403015 GetCurrentProcess TerminateProcess 19631->19632 19633 403026 19631->19633 19632->19633 19634 402e37 19633->19634 19635 403090 ExitProcess 19633->19635 19634->19430 19636 2ce72ab InternetOpenA 19637 2ce72c9 InternetSetOptionA InternetSetOptionA InternetSetOptionA 19636->19637 19671 2ce66f4 _memset shared_ptr 19636->19671 19643 2ce7342 _memset 19637->19643 19638 2ce7322 InternetOpenUrlA 19639 2ce7382 InternetCloseHandle 19638->19639 19638->19643 19639->19671 19640 2ce670e RtlEnterCriticalSection RtlLeaveCriticalSection 19640->19671 19641 2ce6708 Sleep 19641->19640 19642 2ce7346 InternetReadFile 19642->19643 19644 2ce7377 InternetCloseHandle 19642->19644 19643->19638 19643->19642 19644->19639 19645 2ce73e9 RtlEnterCriticalSection RtlLeaveCriticalSection 19682 2cf227c 19645->19682 19647 2cf227c 66 API calls 19647->19671 19648 2cf2eec _malloc 59 API calls 19649 2ce749d RtlEnterCriticalSection RtlLeaveCriticalSection 19648->19649 19649->19671 19650 2ce776a RtlEnterCriticalSection RtlLeaveCriticalSection 19650->19671 19654 2ce78e2 RtlEnterCriticalSection 19655 2ce790f RtlLeaveCriticalSection 19654->19655 19654->19671 19772 2ce3c67 19655->19772 19658 2cf2eec 59 API calls _malloc 19658->19671 19661 2cf3529 60 API calls _strtok 19661->19671 19662 2cea658 73 API calls 19662->19671 19663 2cf2eb4 59 API calls _free 19663->19671 19665 2cf3a8f _Allocate 60 API calls 19665->19671 19671->19636 19671->19640 19671->19641 19671->19645 19671->19647 19671->19648 19671->19650 19671->19654 19671->19655 19671->19658 19671->19661 19671->19662 19671->19663 19671->19665 19671->19671 19675 2ce76ec Sleep 19671->19675 19676 2ce76e7 shared_ptr 19671->19676 19679 2ce61f5 19671->19679 19692 2cf2790 19671->19692 19695 2ce966a 19671->19695 19702 2cea782 19671->19702 19706 2ce5119 19671->19706 19735 2ceab42 19671->19735 19749 2ce4100 19671->19749 19753 2cf2358 19671->19753 19764 2ce1ba7 19671->19764 19779 2ce3d7e 19671->19779 19786 2ce826e 19671->19786 19792 2ced04a 19671->19792 19797 2ce831d 19671->19797 19805 2ce33b2 19671->19805 19812 2ce8f36 19671->19812 19819 2ce534d 19671->19819 19745 2cf1830 19675->19745 19676->19675 19680 2cf2eec _malloc 59 API calls 19679->19680 19681 2ce6208 19680->19681 19683 2cf2288 19682->19683 19684 2cf22ab 19682->19684 19683->19684 19686 2cf228e 19683->19686 19829 2cf22c3 19684->19829 19688 2cf5d9b __cftog_l 59 API calls 19686->19688 19687 2cf22be 19687->19671 19689 2cf2293 19688->19689 19690 2cf4e35 __cftog_l 9 API calls 19689->19690 19691 2cf229e 19690->19691 19691->19671 19839 2cf27ae 19692->19839 19694 2cf27a9 19694->19671 19696 2ce9674 __EH_prolog 19695->19696 19697 2ce1ba7 4 API calls 19696->19697 19698 2ce96c9 19697->19698 19699 2ce96e6 RtlEnterCriticalSection 19698->19699 19700 2ce9704 RtlLeaveCriticalSection 19699->19700 19701 2ce9701 19699->19701 19700->19671 19701->19700 19703 2cea78c __EH_prolog 19702->19703 19845 2cedf33 19703->19845 19705 2cea7aa shared_ptr 19705->19671 19707 2ce5123 __EH_prolog 19706->19707 19849 2cf0a50 19707->19849 19710 2ce3c67 72 API calls 19711 2ce514a 19710->19711 19712 2ce3d7e 64 API calls 19711->19712 19713 2ce5158 19712->19713 19714 2ce826e 89 API calls 19713->19714 19715 2ce516c 19714->19715 19717 2ce5322 shared_ptr 19715->19717 19853 2cea658 19715->19853 19717->19671 19719 2ce51f6 19721 2cea658 73 API calls 19719->19721 19720 2ce51c4 19722 2cea658 73 API calls 19720->19722 19724 2ce5207 19721->19724 19723 2ce51d4 19722->19723 19723->19717 19726 2cea658 73 API calls 19723->19726 19724->19717 19725 2cea658 73 API calls 19724->19725 19727 2ce524a 19725->19727 19728 2ce52b4 19726->19728 19727->19717 19729 2cea658 73 API calls 19727->19729 19728->19717 19730 2cea658 73 API calls 19728->19730 19729->19723 19731 2ce52da 19730->19731 19731->19717 19732 2cea658 73 API calls 19731->19732 19733 2ce5304 19732->19733 19858 2cece0c 19733->19858 19736 2ceab4c __EH_prolog 19735->19736 19909 2ced021 19736->19909 19738 2ceab6d shared_ptr 19912 2cf2030 19738->19912 19740 2ceab84 19741 2ceab9a 19740->19741 19918 2ce3fb0 19740->19918 19741->19671 19746 2cf183d 19745->19746 19747 2cf1861 19745->19747 19746->19747 19748 2cf1851 GetProcessHeap HeapFree 19746->19748 19747->19671 19748->19747 19750 2ce4118 19749->19750 19751 2ce4112 19749->19751 19750->19671 20165 2cea636 19751->20165 19754 2cf2389 19753->19754 19755 2cf2374 19753->19755 19754->19755 19756 2cf2390 19754->19756 19757 2cf5d9b __cftog_l 59 API calls 19755->19757 20167 2cf5f90 19756->20167 19759 2cf2379 19757->19759 19761 2cf4e35 __cftog_l 9 API calls 19759->19761 19762 2cf2384 19761->19762 19762->19671 20392 2d05330 19764->20392 19766 2ce1bb1 RtlEnterCriticalSection 19767 2ce1be9 RtlLeaveCriticalSection 19766->19767 19769 2ce1bd1 19766->19769 19768 2ce1bfa RtlEnterCriticalSection 19767->19768 19771 2ce1c22 19768->19771 19769->19767 19770 2ce1c55 RtlLeaveCriticalSection 19769->19770 19770->19671 19771->19770 19773 2cf0a50 Mailbox 68 API calls 19772->19773 19774 2ce3c7e 19773->19774 20393 2ce3ca2 19774->20393 19780 2ce3dcb htons 19779->19780 19781 2ce3d99 htons 19779->19781 20445 2ce3c16 19780->20445 20439 2ce3bd3 19781->20439 19784 2ce3ded 19784->19671 19787 2ce8286 19786->19787 19788 2ce82a7 19786->19788 20476 2ce9530 19787->20476 19791 2ce82cc 19788->19791 20479 2ce2ac7 19788->20479 19791->19671 19793 2cf0a50 Mailbox 68 API calls 19792->19793 19795 2ced060 19793->19795 19794 2ced14e 19794->19671 19795->19794 19796 2ce2db5 73 API calls 19795->19796 19796->19795 19798 2ce8338 WSASetLastError shutdown 19797->19798 19799 2ce8328 19797->19799 19801 2cea43c 69 API calls 19798->19801 19800 2cf0a50 Mailbox 68 API calls 19799->19800 19802 2ce832d 19800->19802 19803 2ce8355 19801->19803 19802->19671 19803->19802 19804 2cf0a50 Mailbox 68 API calls 19803->19804 19804->19802 19806 2ce33c4 InterlockedCompareExchange 19805->19806 19807 2ce33e1 19805->19807 19806->19807 19808 2ce33d6 19806->19808 19809 2ce29ee 76 API calls 19807->19809 20573 2ce32ab 19808->20573 19811 2ce33f1 19809->19811 19811->19671 19813 2ce8f40 __EH_prolog 19812->19813 20621 2ce373f 19813->20621 19815 2ce8f5a RtlEnterCriticalSection 19816 2ce8f69 RtlLeaveCriticalSection 19815->19816 19818 2ce8fa3 19816->19818 19818->19671 19820 2cf2eec _malloc 59 API calls 19819->19820 19821 2ce5362 SHGetSpecialFolderPathA 19820->19821 19822 2ce5378 19821->19822 19822->19822 20630 2cf36b4 19822->20630 19825 2ce53e2 19825->19671 19827 2ce53dc 20646 2cf39c7 19827->20646 19830 2cf21bb _LocaleUpdate::_LocaleUpdate 59 API calls 19829->19830 19831 2cf22d7 19830->19831 19832 2cf22e5 19831->19832 19838 2cf22fc 19831->19838 19833 2cf5d9b __cftog_l 59 API calls 19832->19833 19834 2cf22ea 19833->19834 19835 2cf4e35 __cftog_l 9 API calls 19834->19835 19836 2cf22f5 ___ascii_stricmp 19835->19836 19836->19687 19837 2cf58ba 66 API calls __tolower_l 19837->19838 19838->19836 19838->19837 19840 2cf27cb 19839->19840 19841 2cf5d9b __cftog_l 59 API calls 19840->19841 19844 2cf27db _strlen 19840->19844 19842 2cf27d0 19841->19842 19843 2cf4e35 __cftog_l 9 API calls 19842->19843 19843->19844 19844->19694 19846 2cedf3d __EH_prolog 19845->19846 19847 2cf3a8f _Allocate 60 API calls 19846->19847 19848 2cedf54 19847->19848 19848->19705 19850 2cf0a79 19849->19850 19851 2ce513d 19849->19851 19852 2cf32e7 __cinit 68 API calls 19850->19852 19851->19710 19852->19851 19854 2cf0a50 Mailbox 68 API calls 19853->19854 19856 2cea672 19854->19856 19855 2ce519d 19855->19717 19855->19719 19855->19720 19856->19855 19863 2ce2db5 19856->19863 19859 2cf0a50 Mailbox 68 API calls 19858->19859 19862 2cece26 19859->19862 19860 2cecf35 19860->19717 19862->19860 19890 2ce2b95 19862->19890 19864 2ce2dca 19863->19864 19865 2ce2de4 19863->19865 19866 2cf0a50 Mailbox 68 API calls 19864->19866 19867 2ce2dfc 19865->19867 19869 2ce2def 19865->19869 19868 2ce2dcf 19866->19868 19877 2ce2d39 WSASetLastError WSASend 19867->19877 19868->19856 19871 2cf0a50 Mailbox 68 API calls 19869->19871 19871->19868 19872 2ce2e0c 19872->19868 19873 2ce2e54 WSASetLastError select 19872->19873 19875 2cf0a50 68 API calls Mailbox 19872->19875 19876 2ce2d39 71 API calls 19872->19876 19887 2cea43c 19873->19887 19875->19872 19876->19872 19878 2cea43c 69 API calls 19877->19878 19879 2ce2d6e 19878->19879 19880 2ce2d75 19879->19880 19881 2ce2d82 19879->19881 19882 2cf0a50 Mailbox 68 API calls 19880->19882 19883 2cf0a50 Mailbox 68 API calls 19881->19883 19885 2ce2d7a 19881->19885 19882->19885 19883->19885 19884 2cf0a50 Mailbox 68 API calls 19886 2ce2d9c 19884->19886 19885->19884 19885->19886 19886->19872 19888 2cf0a50 Mailbox 68 API calls 19887->19888 19889 2cea448 WSAGetLastError 19888->19889 19889->19872 19891 2ce2bb1 19890->19891 19892 2ce2bc7 19890->19892 19893 2cf0a50 Mailbox 68 API calls 19891->19893 19894 2ce2bd2 19892->19894 19904 2ce2bdf 19892->19904 19898 2ce2bb6 19893->19898 19896 2cf0a50 Mailbox 68 API calls 19894->19896 19895 2ce2be2 WSASetLastError WSARecv 19897 2cea43c 69 API calls 19895->19897 19896->19898 19897->19904 19898->19862 19899 2cf0a50 68 API calls Mailbox 19899->19904 19900 2ce2d22 19905 2ce1996 19900->19905 19902 2ce2cbc WSASetLastError select 19903 2cea43c 69 API calls 19902->19903 19903->19904 19904->19895 19904->19898 19904->19899 19904->19900 19904->19902 19906 2ce199f 19905->19906 19908 2ce19bb 19905->19908 19907 2cf32e7 __cinit 68 API calls 19906->19907 19907->19908 19908->19898 19931 2cee1b3 19909->19931 19911 2ced033 19911->19738 20013 2cf32fc 19912->20013 19915 2cf2054 19915->19740 19916 2cf207d ResumeThread 19916->19740 19917 2cf2076 CloseHandle 19917->19916 19919 2cf0a50 Mailbox 68 API calls 19918->19919 19920 2ce3fb8 19919->19920 20083 2ce1815 19920->20083 19923 2cea5be 19924 2cea5c8 __EH_prolog 19923->19924 20089 2cecb76 19924->20089 19929 2cf449a __CxxThrowException@8 RaiseException 19930 2cea5fc 19929->19930 19932 2cee1bd __EH_prolog 19931->19932 19937 2ce4030 19932->19937 19936 2cee1eb 19936->19911 19949 2d05330 19937->19949 19939 2ce403a GetProcessHeap RtlAllocateHeap 19940 2ce407c 19939->19940 19941 2ce4053 std::exception::exception 19939->19941 19940->19936 19943 2ce408a 19940->19943 19950 2cea5fd 19941->19950 19944 2ce4094 __EH_prolog 19943->19944 19994 2cea21c 19944->19994 19949->19939 19951 2cea607 __EH_prolog 19950->19951 19958 2cecbac 19951->19958 19956 2cf449a __CxxThrowException@8 RaiseException 19957 2cea635 19956->19957 19964 2ced70c 19958->19964 19961 2cecbc6 19986 2ced744 19961->19986 19963 2cea624 19963->19956 19967 2cf2453 19964->19967 19970 2cf2481 19967->19970 19971 2cf248f 19970->19971 19972 2cea616 19970->19972 19976 2cf2517 19971->19976 19972->19961 19977 2cf2494 19976->19977 19978 2cf2520 19976->19978 19977->19972 19980 2cf24d9 19977->19980 19979 2cf2eb4 _free 59 API calls 19978->19979 19979->19977 19981 2cf24e5 _strlen 19980->19981 19982 2cf250a 19980->19982 19983 2cf2eec _malloc 59 API calls 19981->19983 19982->19972 19984 2cf24f7 19983->19984 19984->19982 19985 2cf6bfc __fltout2 59 API calls 19984->19985 19985->19982 19987 2ced74e __EH_prolog 19986->19987 19990 2ceb66f 19987->19990 19989 2ced785 Mailbox 19989->19963 19991 2ceb679 __EH_prolog 19990->19991 19992 2cf2453 std::exception::exception 59 API calls 19991->19992 19993 2ceb68a Mailbox 19992->19993 19993->19989 20005 2ceb033 19994->20005 19996 2ce40c1 19997 2ce3fdc 19996->19997 20012 2d05330 19997->20012 19999 2ce3fe6 CreateEventA 20000 2ce400f 19999->20000 20001 2ce3ffd 19999->20001 20000->19936 20002 2ce3fb0 Mailbox 68 API calls 20001->20002 20003 2ce4005 20002->20003 20004 2cea5be Mailbox 60 API calls 20003->20004 20004->20000 20006 2ceb05b 20005->20006 20007 2ceb03f 20005->20007 20006->19996 20008 2cf3a8f _Allocate 60 API calls 20007->20008 20009 2ceb04f std::exception::exception 20007->20009 20008->20009 20009->20006 20010 2cf449a __CxxThrowException@8 RaiseException 20009->20010 20011 2cefa64 20010->20011 20012->19999 20014 2cf331e 20013->20014 20015 2cf330a 20013->20015 20017 2cf89ac __calloc_crt 59 API calls 20014->20017 20016 2cf5d9b __cftog_l 59 API calls 20015->20016 20018 2cf330f 20016->20018 20019 2cf332b 20017->20019 20021 2cf4e35 __cftog_l 9 API calls 20018->20021 20020 2cf337c 20019->20020 20022 2cf5b9a ___InternalCxxFrameHandler 59 API calls 20019->20022 20023 2cf2eb4 _free 59 API calls 20020->20023 20027 2cf204b 20021->20027 20024 2cf3338 20022->20024 20025 2cf3382 20023->20025 20026 2cf5c21 __initptd 59 API calls 20024->20026 20025->20027 20032 2cf5d7a 20025->20032 20028 2cf3341 CreateThread 20026->20028 20027->19915 20027->19916 20027->19917 20028->20027 20031 2cf3374 GetLastError 20028->20031 20040 2cf345c 20028->20040 20031->20020 20037 2cf5d67 20032->20037 20034 2cf5d83 _free 20035 2cf5d9b __cftog_l 59 API calls 20034->20035 20036 2cf5d96 20035->20036 20036->20027 20038 2cf5bb2 __getptd_noexit 59 API calls 20037->20038 20039 2cf5d6c 20038->20039 20039->20034 20041 2cf3465 __threadstartex@4 20040->20041 20042 2cf910b __freeptd TlsGetValue 20041->20042 20043 2cf346b 20042->20043 20044 2cf349e 20043->20044 20045 2cf3472 __threadstartex@4 20043->20045 20046 2cf5a2f __freefls@4 59 API calls 20044->20046 20047 2cf912a __freeptd TlsSetValue 20045->20047 20051 2cf34b9 ___crtIsPackagedApp 20046->20051 20048 2cf3481 20047->20048 20049 2cf3487 GetLastError RtlExitUserThread 20048->20049 20050 2cf3494 GetCurrentThreadId 20048->20050 20049->20050 20050->20051 20052 2cf34cd 20051->20052 20056 2cf3404 20051->20056 20062 2cf3395 20052->20062 20057 2cf340d LoadLibraryExW GetProcAddress 20056->20057 20058 2cf3446 RtlDecodePointer 20056->20058 20059 2cf342f 20057->20059 20060 2cf3430 RtlEncodePointer 20057->20060 20061 2cf3456 20058->20061 20059->20052 20060->20058 20061->20052 20063 2cf33a1 _doexit 20062->20063 20064 2cf5b9a ___InternalCxxFrameHandler 59 API calls 20063->20064 20065 2cf33a6 20064->20065 20070 2cf33d6 20065->20070 20071 2cf5bb2 __getptd_noexit 59 API calls 20070->20071 20072 2cf33df 20071->20072 20073 2cf33fa RtlExitUserThread 20072->20073 20074 2cf33f3 20072->20074 20078 2cf34d9 20072->20078 20075 2cf5b64 __freeptd 59 API calls 20074->20075 20077 2cf33f9 20075->20077 20077->20073 20079 2cf351a RtlDecodePointer 20078->20079 20080 2cf34e2 LoadLibraryExW GetProcAddress 20078->20080 20081 2cf3528 20079->20081 20080->20081 20082 2cf3504 RtlEncodePointer 20080->20082 20081->20074 20082->20079 20086 2cf2413 20083->20086 20087 2cf24d9 std::exception::_Copy_str 59 API calls 20086->20087 20088 2ce182a 20087->20088 20088->19923 20095 2ced63d 20089->20095 20092 2cecb90 20157 2ced675 20092->20157 20094 2cea5eb 20094->19929 20098 2ceb161 20095->20098 20099 2ceb16b __EH_prolog 20098->20099 20100 2cf2453 std::exception::exception 59 API calls 20099->20100 20101 2ceb17c 20100->20101 20104 2ce7c31 20101->20104 20107 2ce882b 20104->20107 20106 2ce7c50 20106->20092 20108 2ce88b4 20107->20108 20109 2ce8840 20107->20109 20136 2cefa93 20108->20136 20110 2ce884d 20109->20110 20111 2ce8864 20109->20111 20119 2ce905e 20110->20119 20129 2ce9151 20111->20129 20118 2ce8862 _memmove 20118->20106 20120 2ce9082 20119->20120 20121 2ce8855 20119->20121 20122 2cefa93 std::bad_exception::bad_exception 60 API calls 20120->20122 20124 2ce908d 20121->20124 20123 2ce908c 20122->20123 20125 2ce9104 20124->20125 20128 2ce909e _memmove 20124->20128 20126 2cefa93 std::bad_exception::bad_exception 60 API calls 20125->20126 20127 2ce910e 20126->20127 20128->20118 20130 2ce915d 20129->20130 20131 2ce91a9 20129->20131 20135 2ce916b std::bad_exception::bad_exception 20130->20135 20141 2ce9a0c 20130->20141 20145 2cefa65 20131->20145 20135->20118 20137 2cf2413 std::exception::exception 59 API calls 20136->20137 20138 2cefaab 20137->20138 20139 2cf449a __CxxThrowException@8 RaiseException 20138->20139 20140 2cefac0 20139->20140 20142 2ce9a16 __EH_prolog 20141->20142 20150 2ceabad 20142->20150 20144 2ce9a6d _memmove std::bad_exception::bad_exception 20144->20135 20146 2cf2413 std::exception::exception 59 API calls 20145->20146 20147 2cefa7d 20146->20147 20148 2cf449a __CxxThrowException@8 RaiseException 20147->20148 20149 2cefa92 20148->20149 20151 2ceabb9 20150->20151 20152 2ceabd0 20150->20152 20153 2cf3a8f _Allocate 60 API calls 20151->20153 20154 2ceabc4 std::exception::exception 20151->20154 20152->20144 20153->20154 20154->20152 20155 2cf449a __CxxThrowException@8 RaiseException 20154->20155 20156 2cefa64 20155->20156 20158 2ced67f __EH_prolog 20157->20158 20161 2ceb559 20158->20161 20160 2ced6b6 Mailbox 20160->20094 20162 2ceb563 __EH_prolog 20161->20162 20163 2ceb161 std::bad_exception::bad_exception 60 API calls 20162->20163 20164 2ceb574 Mailbox 20163->20164 20164->20160 20166 2cea645 GetProcessHeap HeapFree 20165->20166 20166->19750 20168 2cf21bb _LocaleUpdate::_LocaleUpdate 59 API calls 20167->20168 20169 2cf6005 20168->20169 20170 2cf5d9b __cftog_l 59 API calls 20169->20170 20171 2cf600a 20170->20171 20172 2cf6adb 20171->20172 20183 2cf602a __output_l __aulldvrm _strlen 20171->20183 20212 2cf9d71 20171->20212 20173 2cf5d9b __cftog_l 59 API calls 20172->20173 20175 2cf6ae0 20173->20175 20177 2cf4e35 __cftog_l 9 API calls 20175->20177 20176 2cf6ab5 20178 2cf448b __cftog_l 6 API calls 20176->20178 20177->20176 20179 2cf23b6 20178->20179 20179->19762 20191 2cf5e41 20179->20191 20181 2cf6b10 79 API calls __output_l 20181->20183 20182 2cf6693 RtlDecodePointer 20182->20183 20183->20172 20183->20176 20183->20181 20183->20182 20184 2cf2eb4 _free 59 API calls 20183->20184 20185 2cf6b84 79 API calls _write_string 20183->20185 20186 2cffa24 61 API calls __cftof 20183->20186 20187 2cf89f4 __malloc_crt 59 API calls 20183->20187 20188 2cf66f6 RtlDecodePointer 20183->20188 20189 2cf6b58 79 API calls _write_multi_char 20183->20189 20190 2cf671b RtlDecodePointer 20183->20190 20219 2cfdc4e 20183->20219 20184->20183 20185->20183 20186->20183 20187->20183 20188->20183 20189->20183 20190->20183 20192 2cf9d71 __filbuf 59 API calls 20191->20192 20193 2cf5e4f 20192->20193 20194 2cf5e5a 20193->20194 20195 2cf5e71 20193->20195 20196 2cf5d9b __cftog_l 59 API calls 20194->20196 20197 2cf5e76 20195->20197 20202 2cf5e83 __flsbuf 20195->20202 20199 2cf5e5f 20196->20199 20198 2cf5d9b __cftog_l 59 API calls 20197->20198 20198->20199 20199->19762 20200 2cf5ee7 20204 2cf5f01 20200->20204 20206 2cf5f18 20200->20206 20201 2cf5f61 20203 2cf9d95 __write 79 API calls 20201->20203 20202->20199 20208 2cf5ed2 20202->20208 20211 2cf5edd 20202->20211 20222 2cff6e2 20202->20222 20203->20199 20234 2cf9d95 20204->20234 20206->20199 20262 2cff736 20206->20262 20208->20211 20231 2cff8a5 20208->20231 20211->20200 20211->20201 20213 2cf9d7b 20212->20213 20214 2cf9d90 20212->20214 20215 2cf5d9b __cftog_l 59 API calls 20213->20215 20214->20183 20216 2cf9d80 20215->20216 20217 2cf4e35 __cftog_l 9 API calls 20216->20217 20218 2cf9d8b 20217->20218 20218->20183 20220 2cf21bb _LocaleUpdate::_LocaleUpdate 59 API calls 20219->20220 20221 2cfdc5f 20220->20221 20221->20183 20223 2cff6ed 20222->20223 20224 2cff6fa 20222->20224 20225 2cf5d9b __cftog_l 59 API calls 20223->20225 20227 2cff706 20224->20227 20228 2cf5d9b __cftog_l 59 API calls 20224->20228 20226 2cff6f2 20225->20226 20226->20208 20227->20208 20229 2cff727 20228->20229 20230 2cf4e35 __cftog_l 9 API calls 20229->20230 20230->20226 20232 2cf89f4 __malloc_crt 59 API calls 20231->20232 20233 2cff8ba 20232->20233 20233->20211 20235 2cf9da1 _doexit 20234->20235 20236 2cf9dae 20235->20236 20237 2cf9dc5 20235->20237 20238 2cf5d67 __read_nolock 59 API calls 20236->20238 20239 2cf9e64 20237->20239 20241 2cf9dd9 20237->20241 20240 2cf9db3 20238->20240 20242 2cf5d67 __read_nolock 59 API calls 20239->20242 20243 2cf5d9b __cftog_l 59 API calls 20240->20243 20244 2cf9df7 20241->20244 20245 2cf9e01 20241->20245 20246 2cf9dfc 20242->20246 20257 2cf9dba _doexit 20243->20257 20247 2cf5d67 __read_nolock 59 API calls 20244->20247 20287 2d00bc7 20245->20287 20250 2cf5d9b __cftog_l 59 API calls 20246->20250 20247->20246 20249 2cf9e07 20251 2cf9e2d 20249->20251 20252 2cf9e1a 20249->20252 20253 2cf9e70 20250->20253 20256 2cf5d9b __cftog_l 59 API calls 20251->20256 20296 2cf9e84 20252->20296 20255 2cf4e35 __cftog_l 9 API calls 20253->20255 20255->20257 20259 2cf9e32 20256->20259 20257->20199 20258 2cf9e26 20355 2cf9e5c 20258->20355 20260 2cf5d67 __read_nolock 59 API calls 20259->20260 20260->20258 20263 2cff742 _doexit 20262->20263 20264 2cff76b 20263->20264 20265 2cff753 20263->20265 20266 2cff810 20264->20266 20270 2cff7a0 20264->20270 20267 2cf5d67 __read_nolock 59 API calls 20265->20267 20268 2cf5d67 __read_nolock 59 API calls 20266->20268 20269 2cff758 20267->20269 20271 2cff815 20268->20271 20272 2cf5d9b __cftog_l 59 API calls 20269->20272 20273 2d00bc7 ___lock_fhandle 60 API calls 20270->20273 20274 2cf5d9b __cftog_l 59 API calls 20271->20274 20275 2cff760 _doexit 20272->20275 20276 2cff7a6 20273->20276 20277 2cff81d 20274->20277 20275->20199 20278 2cff7bc 20276->20278 20279 2cff7d4 20276->20279 20280 2cf4e35 __cftog_l 9 API calls 20277->20280 20281 2cff832 __lseeki64_nolock 61 API calls 20278->20281 20282 2cf5d9b __cftog_l 59 API calls 20279->20282 20280->20275 20283 2cff7cb 20281->20283 20284 2cff7d9 20282->20284 20388 2cff808 20283->20388 20285 2cf5d67 __read_nolock 59 API calls 20284->20285 20285->20283 20288 2d00bd3 _doexit 20287->20288 20289 2d00c22 RtlEnterCriticalSection 20288->20289 20291 2cf882d __lock 59 API calls 20288->20291 20290 2d00c48 _doexit 20289->20290 20290->20249 20292 2d00bf8 20291->20292 20294 2cf914c __mtinitlocks InitializeCriticalSectionAndSpinCount 20292->20294 20295 2d00c10 20292->20295 20294->20295 20358 2d00c4c 20295->20358 20297 2cf9e91 __write_nolock 20296->20297 20298 2cf9eef 20297->20298 20299 2cf9ed0 20297->20299 20329 2cf9ec5 20297->20329 20302 2cf9f47 20298->20302 20303 2cf9f2b 20298->20303 20301 2cf5d67 __read_nolock 59 API calls 20299->20301 20300 2cf448b __cftog_l 6 API calls 20304 2cfa6e5 20300->20304 20305 2cf9ed5 20301->20305 20307 2cf9f60 20302->20307 20362 2cff832 20302->20362 20306 2cf5d67 __read_nolock 59 API calls 20303->20306 20304->20258 20308 2cf5d9b __cftog_l 59 API calls 20305->20308 20310 2cf9f30 20306->20310 20309 2cff6e2 __read_nolock 59 API calls 20307->20309 20312 2cf9edc 20308->20312 20314 2cf9f6e 20309->20314 20315 2cf5d9b __cftog_l 59 API calls 20310->20315 20313 2cf4e35 __cftog_l 9 API calls 20312->20313 20313->20329 20316 2cfa2c7 20314->20316 20321 2cf5b9a ___InternalCxxFrameHandler 59 API calls 20314->20321 20317 2cf9f37 20315->20317 20318 2cfa65a WriteFile 20316->20318 20319 2cfa2e5 20316->20319 20320 2cf4e35 __cftog_l 9 API calls 20317->20320 20322 2cfa2ba GetLastError 20318->20322 20328 2cfa287 20318->20328 20323 2cfa409 20319->20323 20332 2cfa2fb 20319->20332 20320->20329 20324 2cf9f9a GetConsoleMode 20321->20324 20322->20328 20335 2cfa414 20323->20335 20346 2cfa4fe 20323->20346 20324->20316 20326 2cf9fd9 20324->20326 20325 2cfa693 20327 2cf5d9b __cftog_l 59 API calls 20325->20327 20325->20329 20326->20316 20330 2cf9fe9 GetConsoleCP 20326->20330 20333 2cfa6c1 20327->20333 20328->20325 20328->20329 20334 2cfa3e7 20328->20334 20329->20300 20330->20325 20353 2cfa018 20330->20353 20331 2cfa36a WriteFile 20331->20322 20331->20332 20332->20325 20332->20328 20332->20331 20337 2cf5d67 __read_nolock 59 API calls 20333->20337 20338 2cfa68a 20334->20338 20339 2cfa3f2 20334->20339 20335->20325 20335->20328 20336 2cfa479 WriteFile 20335->20336 20336->20322 20336->20335 20337->20329 20342 2cf5d7a __dosmaperr 59 API calls 20338->20342 20341 2cf5d9b __cftog_l 59 API calls 20339->20341 20340 2cfa573 WideCharToMultiByte 20340->20322 20340->20346 20344 2cfa3f7 20341->20344 20342->20329 20343 2cfa5c2 WriteFile 20343->20346 20347 2cfa615 GetLastError 20343->20347 20348 2cf5d67 __read_nolock 59 API calls 20344->20348 20346->20325 20346->20328 20346->20340 20346->20343 20347->20346 20348->20329 20349 2d00f93 WriteConsoleW CreateFileW __putwch_nolock 20349->20353 20350 2cfff4a 61 API calls __write_nolock 20350->20353 20351 2cfa101 WideCharToMultiByte 20351->20328 20352 2cfa13c WriteFile 20351->20352 20352->20322 20352->20353 20353->20322 20353->20328 20353->20349 20353->20350 20353->20351 20354 2cfa196 WriteFile 20353->20354 20371 2cfdc88 20353->20371 20354->20322 20354->20353 20387 2d00f6d RtlLeaveCriticalSection 20355->20387 20357 2cf9e62 20357->20257 20361 2cf8997 RtlLeaveCriticalSection 20358->20361 20360 2d00c53 20360->20289 20361->20360 20374 2d00e84 20362->20374 20364 2cff842 20365 2cff85b SetFilePointerEx 20364->20365 20366 2cff84a 20364->20366 20368 2cff873 GetLastError 20365->20368 20370 2cff84f 20365->20370 20367 2cf5d9b __cftog_l 59 API calls 20366->20367 20367->20370 20369 2cf5d7a __dosmaperr 59 API calls 20368->20369 20369->20370 20370->20307 20372 2cfdc4e __isleadbyte_l 59 API calls 20371->20372 20373 2cfdc95 20372->20373 20373->20353 20375 2d00e8f 20374->20375 20376 2d00ea4 20374->20376 20377 2cf5d67 __read_nolock 59 API calls 20375->20377 20379 2cf5d67 __read_nolock 59 API calls 20376->20379 20381 2d00ec9 20376->20381 20378 2d00e94 20377->20378 20380 2cf5d9b __cftog_l 59 API calls 20378->20380 20382 2d00ed3 20379->20382 20383 2d00e9c 20380->20383 20381->20364 20384 2cf5d9b __cftog_l 59 API calls 20382->20384 20383->20364 20385 2d00edb 20384->20385 20386 2cf4e35 __cftog_l 9 API calls 20385->20386 20386->20383 20387->20357 20391 2d00f6d RtlLeaveCriticalSection 20388->20391 20390 2cff80e 20390->20275 20391->20390 20392->19766 20404 2ce30ae WSASetLastError 20393->20404 20396 2ce30ae 71 API calls 20397 2ce3c90 20396->20397 20398 2ce16ae 20397->20398 20399 2ce16b8 __EH_prolog 20398->20399 20400 2ce1701 20399->20400 20401 2cf2413 std::exception::exception 59 API calls 20399->20401 20400->19671 20402 2ce16dc 20401->20402 20420 2cea3d5 20402->20420 20405 2ce30ce 20404->20405 20406 2ce30ec WSAStringToAddressA 20404->20406 20405->20406 20407 2ce30d3 20405->20407 20408 2cea43c 69 API calls 20406->20408 20409 2cf0a50 Mailbox 68 API calls 20407->20409 20410 2ce3114 20408->20410 20411 2ce30d8 20409->20411 20412 2ce3154 20410->20412 20414 2ce311e _memcmp 20410->20414 20411->20396 20411->20397 20413 2ce3135 20412->20413 20415 2cf0a50 Mailbox 68 API calls 20412->20415 20416 2cf0a50 Mailbox 68 API calls 20413->20416 20419 2ce3193 20413->20419 20414->20413 20417 2cf0a50 Mailbox 68 API calls 20414->20417 20415->20413 20416->20419 20417->20413 20418 2cf0a50 Mailbox 68 API calls 20418->20411 20419->20411 20419->20418 20421 2cea3df __EH_prolog 20420->20421 20428 2cec93a 20421->20428 20425 2cea400 20426 2cf449a __CxxThrowException@8 RaiseException 20425->20426 20427 2cea40e 20426->20427 20429 2ceb161 std::bad_exception::bad_exception 60 API calls 20428->20429 20430 2cea3f2 20429->20430 20431 2cec976 20430->20431 20432 2cec980 __EH_prolog 20431->20432 20435 2ceb110 20432->20435 20434 2cec9af Mailbox 20434->20425 20436 2ceb11a __EH_prolog 20435->20436 20437 2ceb161 std::bad_exception::bad_exception 60 API calls 20436->20437 20438 2ceb12b Mailbox 20437->20438 20438->20434 20440 2ce3bdd __EH_prolog 20439->20440 20441 2ce3bfe htonl htonl 20440->20441 20451 2cf23f7 20440->20451 20441->19784 20446 2ce3c20 __EH_prolog 20445->20446 20447 2ce3c41 20446->20447 20448 2cf23f7 std::bad_exception::bad_exception 59 API calls 20446->20448 20447->19784 20449 2ce3c35 20448->20449 20450 2cea58a 60 API calls 20449->20450 20450->20447 20452 2cf2413 std::exception::exception 59 API calls 20451->20452 20453 2ce3bf2 20452->20453 20454 2cea58a 20453->20454 20455 2cea594 __EH_prolog 20454->20455 20462 2cecaad 20455->20462 20459 2cea5af 20460 2cf449a __CxxThrowException@8 RaiseException 20459->20460 20461 2cea5bd 20460->20461 20469 2cf23dc 20462->20469 20465 2cecae9 20466 2cecaf3 __EH_prolog 20465->20466 20472 2ceb47f 20466->20472 20468 2cecb22 Mailbox 20468->20459 20470 2cf2453 std::exception::exception 59 API calls 20469->20470 20471 2cea5a1 20470->20471 20471->20465 20473 2ceb489 __EH_prolog 20472->20473 20474 2cf23dc std::bad_exception::bad_exception 59 API calls 20473->20474 20475 2ceb49a Mailbox 20474->20475 20475->20468 20497 2ce353e 20476->20497 20480 2ce2ae8 WSASetLastError connect 20479->20480 20481 2ce2ad8 20479->20481 20483 2cea43c 69 API calls 20480->20483 20482 2cf0a50 Mailbox 68 API calls 20481->20482 20485 2ce2add 20482->20485 20484 2ce2b07 20483->20484 20484->20485 20487 2cf0a50 Mailbox 68 API calls 20484->20487 20486 2cf0a50 Mailbox 68 API calls 20485->20486 20488 2ce2b1b 20486->20488 20487->20485 20489 2cf0a50 Mailbox 68 API calls 20488->20489 20491 2ce2b38 20488->20491 20489->20491 20493 2ce2b87 20491->20493 20557 2ce3027 20491->20557 20493->19791 20496 2cf0a50 Mailbox 68 API calls 20496->20493 20498 2ce3548 __EH_prolog 20497->20498 20499 2ce3576 20498->20499 20500 2ce3557 20498->20500 20519 2ce2edd WSASetLastError WSASocketA 20499->20519 20501 2ce1996 68 API calls 20500->20501 20508 2ce355f 20501->20508 20504 2ce35ad CreateIoCompletionPort 20505 2ce35db 20504->20505 20506 2ce35c5 GetLastError 20504->20506 20507 2cf0a50 Mailbox 68 API calls 20505->20507 20509 2cf0a50 Mailbox 68 API calls 20506->20509 20510 2ce35d2 20507->20510 20508->19788 20509->20510 20511 2ce35ef 20510->20511 20512 2ce3626 20510->20512 20513 2cf0a50 Mailbox 68 API calls 20511->20513 20545 2cede26 20512->20545 20514 2ce3608 20513->20514 20527 2ce29ee 20514->20527 20517 2ce3659 20518 2cf0a50 Mailbox 68 API calls 20517->20518 20518->20508 20520 2cf0a50 Mailbox 68 API calls 20519->20520 20521 2ce2f0a WSAGetLastError 20520->20521 20522 2ce2f41 20521->20522 20523 2ce2f21 20521->20523 20522->20504 20522->20508 20524 2ce2f3c 20523->20524 20525 2ce2f27 setsockopt 20523->20525 20526 2cf0a50 Mailbox 68 API calls 20524->20526 20525->20524 20526->20522 20528 2ce2a0c 20527->20528 20544 2ce2aad 20527->20544 20529 2ce2a39 WSASetLastError closesocket 20528->20529 20533 2cf0a50 Mailbox 68 API calls 20528->20533 20531 2cea43c 69 API calls 20529->20531 20530 2cf0a50 Mailbox 68 API calls 20532 2ce2ab8 20530->20532 20534 2ce2a51 20531->20534 20532->20508 20535 2ce2a21 20533->20535 20537 2cf0a50 Mailbox 68 API calls 20534->20537 20534->20544 20549 2ce2f50 20535->20549 20539 2ce2a5c 20537->20539 20540 2cf0a50 Mailbox 68 API calls 20539->20540 20541 2ce2a7b ioctlsocket WSASetLastError closesocket 20539->20541 20542 2ce2a6e 20540->20542 20543 2cea43c 69 API calls 20541->20543 20542->20541 20542->20544 20543->20544 20544->20530 20544->20532 20546 2cede30 __EH_prolog 20545->20546 20547 2cf3a8f _Allocate 60 API calls 20546->20547 20548 2cede44 20547->20548 20548->20517 20550 2ce2f5b 20549->20550 20551 2ce2f70 WSASetLastError setsockopt 20549->20551 20552 2cf0a50 Mailbox 68 API calls 20550->20552 20553 2cea43c 69 API calls 20551->20553 20556 2ce2a36 20552->20556 20554 2ce2f9e 20553->20554 20555 2cf0a50 Mailbox 68 API calls 20554->20555 20554->20556 20555->20556 20556->20529 20558 2ce304d WSASetLastError select 20557->20558 20559 2ce303b 20557->20559 20561 2cea43c 69 API calls 20558->20561 20560 2cf0a50 Mailbox 68 API calls 20559->20560 20564 2ce2b59 20560->20564 20562 2ce3095 20561->20562 20563 2cf0a50 Mailbox 68 API calls 20562->20563 20562->20564 20563->20564 20564->20493 20565 2ce2fb4 20564->20565 20566 2ce2fd5 WSASetLastError getsockopt 20565->20566 20567 2ce2fc0 20565->20567 20569 2cea43c 69 API calls 20566->20569 20568 2cf0a50 Mailbox 68 API calls 20567->20568 20572 2ce2b7a 20568->20572 20570 2ce300f 20569->20570 20571 2cf0a50 Mailbox 68 API calls 20570->20571 20570->20572 20571->20572 20572->20493 20572->20496 20580 2d05330 20573->20580 20575 2ce32b5 RtlEnterCriticalSection 20576 2cf0a50 Mailbox 68 API calls 20575->20576 20577 2ce32d6 20576->20577 20581 2ce3307 20577->20581 20580->20575 20583 2ce3311 __EH_prolog 20581->20583 20584 2ce3350 20583->20584 20593 2ce7db5 20583->20593 20597 2ce239d 20584->20597 20587 2ce3390 20603 2ce7d5e 20587->20603 20589 2cf0a50 Mailbox 68 API calls 20591 2ce337c 20589->20591 20592 2ce2d39 71 API calls 20591->20592 20592->20587 20596 2ce7dc3 20593->20596 20594 2ce7e39 20594->20583 20596->20594 20607 2ce891a 20596->20607 20600 2ce23ab 20597->20600 20598 2ce2417 20598->20587 20598->20589 20599 2ce23c1 PostQueuedCompletionStatus 20599->20600 20601 2ce23da RtlEnterCriticalSection 20599->20601 20600->20598 20600->20599 20602 2ce23f8 InterlockedExchange RtlLeaveCriticalSection 20600->20602 20601->20600 20602->20600 20605 2ce7d63 20603->20605 20604 2ce32ee RtlLeaveCriticalSection 20604->19807 20605->20604 20618 2ce1e7f 20605->20618 20608 2ce8944 20607->20608 20609 2ce7d5e 68 API calls 20608->20609 20610 2ce898a 20609->20610 20611 2ce89b1 20610->20611 20613 2cea1a7 20610->20613 20611->20594 20614 2cea1c1 20613->20614 20615 2cea1b1 20613->20615 20614->20611 20615->20614 20616 2cefa65 std::bad_exception::bad_exception 60 API calls 20615->20616 20617 2cea21b 20616->20617 20619 2cf0a50 Mailbox 68 API calls 20618->20619 20620 2ce1e90 20619->20620 20620->20605 20622 2ce3755 InterlockedCompareExchange 20621->20622 20623 2ce3770 20621->20623 20622->20623 20624 2ce3765 20622->20624 20625 2cf0a50 Mailbox 68 API calls 20623->20625 20626 2ce32ab 78 API calls 20624->20626 20627 2ce3779 20625->20627 20626->20623 20628 2ce29ee 76 API calls 20627->20628 20629 2ce378e 20628->20629 20629->19815 20659 2cf35f0 20630->20659 20632 2ce53c8 20632->19825 20633 2cf3849 20632->20633 20634 2cf3855 _doexit 20633->20634 20635 2cf388b 20634->20635 20636 2cf3873 20634->20636 20639 2cf3883 _doexit 20634->20639 20801 2cf9732 20635->20801 20638 2cf5d9b __cftog_l 59 API calls 20636->20638 20641 2cf3878 20638->20641 20639->19827 20643 2cf4e35 __cftog_l 9 API calls 20641->20643 20643->20639 20647 2cf39d3 _doexit 20646->20647 20648 2cf39ff 20647->20648 20649 2cf39e7 20647->20649 20652 2cf39f7 _doexit 20648->20652 20653 2cf9732 __lock_file 60 API calls 20648->20653 20650 2cf5d9b __cftog_l 59 API calls 20649->20650 20651 2cf39ec 20650->20651 20654 2cf4e35 __cftog_l 9 API calls 20651->20654 20652->19825 20655 2cf3a11 20653->20655 20654->20652 20828 2cf395b 20655->20828 20661 2cf35fc _doexit 20659->20661 20660 2cf360e 20662 2cf5d9b __cftog_l 59 API calls 20660->20662 20661->20660 20664 2cf363b 20661->20664 20663 2cf3613 20662->20663 20665 2cf4e35 __cftog_l 9 API calls 20663->20665 20678 2cf9808 20664->20678 20675 2cf361e _doexit @_EH4_CallFilterFunc@8 20665->20675 20667 2cf3640 20668 2cf3649 20667->20668 20669 2cf3656 20667->20669 20670 2cf5d9b __cftog_l 59 API calls 20668->20670 20671 2cf367f 20669->20671 20672 2cf365f 20669->20672 20670->20675 20693 2cf9927 20671->20693 20673 2cf5d9b __cftog_l 59 API calls 20672->20673 20673->20675 20675->20632 20679 2cf9814 _doexit 20678->20679 20680 2cf882d __lock 59 API calls 20679->20680 20691 2cf9822 20680->20691 20681 2cf9896 20723 2cf991e 20681->20723 20682 2cf989d 20684 2cf89f4 __malloc_crt 59 API calls 20682->20684 20686 2cf98a4 20684->20686 20685 2cf9913 _doexit 20685->20667 20686->20681 20688 2cf914c __mtinitlocks InitializeCriticalSectionAndSpinCount 20686->20688 20690 2cf98ca RtlEnterCriticalSection 20688->20690 20689 2cf88b5 __mtinitlocknum 59 API calls 20689->20691 20690->20681 20691->20681 20691->20682 20691->20689 20713 2cf9771 20691->20713 20718 2cf97db 20691->20718 20702 2cf9944 20693->20702 20694 2cf9958 20696 2cf5d9b __cftog_l 59 API calls 20694->20696 20695 2cf9aff 20695->20694 20698 2cf9b5b 20695->20698 20697 2cf995d 20696->20697 20699 2cf4e35 __cftog_l 9 API calls 20697->20699 20734 2d00770 20698->20734 20700 2cf368a 20699->20700 20710 2cf36ac 20700->20710 20702->20694 20702->20695 20728 2d0078e 20702->20728 20707 2d008bd __openfile 59 API calls 20708 2cf9b17 20707->20708 20708->20695 20709 2d008bd __openfile 59 API calls 20708->20709 20709->20695 20794 2cf97a1 20710->20794 20712 2cf36b2 20712->20675 20714 2cf977c 20713->20714 20715 2cf9792 RtlEnterCriticalSection 20713->20715 20716 2cf882d __lock 59 API calls 20714->20716 20715->20691 20717 2cf9785 20716->20717 20717->20691 20719 2cf97fc RtlLeaveCriticalSection 20718->20719 20720 2cf97e9 20718->20720 20719->20691 20726 2cf8997 RtlLeaveCriticalSection 20720->20726 20722 2cf97f9 20722->20691 20727 2cf8997 RtlLeaveCriticalSection 20723->20727 20725 2cf9925 20725->20685 20726->20722 20727->20725 20737 2d007a6 20728->20737 20730 2cf9ac5 20730->20694 20731 2d008bd 20730->20731 20745 2d008d5 20731->20745 20733 2cf9af8 20733->20695 20733->20707 20752 2d00659 20734->20752 20736 2d00789 20736->20700 20738 2d007bb 20737->20738 20743 2d007b4 20737->20743 20739 2cf21bb _LocaleUpdate::_LocaleUpdate 59 API calls 20738->20739 20740 2d007c8 20739->20740 20741 2cf5d9b __cftog_l 59 API calls 20740->20741 20740->20743 20742 2d007fb 20741->20742 20744 2cf4e35 __cftog_l 9 API calls 20742->20744 20743->20730 20744->20743 20746 2cf21bb _LocaleUpdate::_LocaleUpdate 59 API calls 20745->20746 20747 2d008e8 20746->20747 20748 2cf5d9b __cftog_l 59 API calls 20747->20748 20751 2d008fd 20747->20751 20749 2d00929 20748->20749 20750 2cf4e35 __cftog_l 9 API calls 20749->20750 20750->20751 20751->20733 20754 2d00665 _doexit 20752->20754 20753 2d0067b 20755 2cf5d9b __cftog_l 59 API calls 20753->20755 20754->20753 20756 2d006b1 20754->20756 20757 2d00680 20755->20757 20763 2d00722 20756->20763 20759 2cf4e35 __cftog_l 9 API calls 20757->20759 20762 2d0068a _doexit 20759->20762 20762->20736 20772 2cf8176 20763->20772 20765 2d006cd 20768 2d006f6 20765->20768 20766 2d00736 20766->20765 20767 2cf2eb4 _free 59 API calls 20766->20767 20767->20765 20769 2d00720 20768->20769 20770 2d006fc 20768->20770 20769->20762 20793 2d00f6d RtlLeaveCriticalSection 20770->20793 20773 2cf8199 20772->20773 20774 2cf8183 20772->20774 20773->20774 20775 2cf81a0 ___crtIsPackagedApp 20773->20775 20776 2cf5d9b __cftog_l 59 API calls 20774->20776 20780 2cf81a9 AreFileApisANSI 20775->20780 20781 2cf81b6 MultiByteToWideChar 20775->20781 20777 2cf8188 20776->20777 20778 2cf4e35 __cftog_l 9 API calls 20777->20778 20779 2cf8192 20778->20779 20779->20766 20780->20781 20782 2cf81b3 20780->20782 20783 2cf81e1 20781->20783 20784 2cf81d0 GetLastError 20781->20784 20782->20781 20786 2cf89f4 __malloc_crt 59 API calls 20783->20786 20785 2cf5d7a __dosmaperr 59 API calls 20784->20785 20785->20779 20787 2cf81e9 20786->20787 20787->20779 20788 2cf81f0 MultiByteToWideChar 20787->20788 20788->20779 20789 2cf8206 GetLastError 20788->20789 20790 2cf5d7a __dosmaperr 59 API calls 20789->20790 20791 2cf8212 20790->20791 20792 2cf2eb4 _free 59 API calls 20791->20792 20792->20779 20793->20769 20795 2cf97cf RtlLeaveCriticalSection 20794->20795 20796 2cf97b0 20794->20796 20795->20712 20796->20795 20797 2cf97b7 20796->20797 20800 2cf8997 RtlLeaveCriticalSection 20797->20800 20799 2cf97cc 20799->20712 20800->20799 20802 2cf9764 RtlEnterCriticalSection 20801->20802 20803 2cf9742 20801->20803 20806 2cf3891 20802->20806 20803->20802 20804 2cf974a 20803->20804 20805 2cf882d __lock 59 API calls 20804->20805 20805->20806 20807 2cf36f0 20806->20807 20808 2cf371d 20807->20808 20809 2cf36ff 20807->20809 20819 2cf38c3 20808->20819 20809->20808 20810 2cf370d 20809->20810 20817 2cf3737 _memmove 20809->20817 20811 2cf5d9b __cftog_l 59 API calls 20810->20811 20812 2cf3712 20811->20812 20813 2cf4e35 __cftog_l 9 API calls 20812->20813 20813->20808 20814 2cf5e41 __flsbuf 79 API calls 20814->20817 20816 2cf9d71 __filbuf 59 API calls 20816->20817 20817->20808 20817->20814 20817->20816 20818 2cf9d95 __write 79 API calls 20817->20818 20822 2cfa72f 20817->20822 20818->20817 20820 2cf97a1 __fsopen 2 API calls 20819->20820 20821 2cf38c9 20820->20821 20821->20639 20823 2cfa742 20822->20823 20824 2cfa766 20822->20824 20823->20824 20825 2cf9d71 __filbuf 59 API calls 20823->20825 20824->20817 20826 2cfa75f 20825->20826 20827 2cf9d95 __write 79 API calls 20826->20827 20827->20824 20829 2cf397e 20828->20829 20830 2cf396a 20828->20830 20833 2cfa72f __flush 79 API calls 20829->20833 20836 2cf397a 20829->20836 20831 2cf5d9b __cftog_l 59 API calls 20830->20831 20832 2cf396f 20831->20832 20834 2cf4e35 __cftog_l 9 API calls 20832->20834 20835 2cf398a 20833->20835 20834->20836 20847 2cfb1db 20835->20847 20844 2cf3a36 20836->20844 20839 2cf9d71 __filbuf 59 API calls 20840 2cf3998 20839->20840 20851 2cfb066 20840->20851 20842 2cf399e 20842->20836 20843 2cf2eb4 _free 59 API calls 20842->20843 20843->20836 20845 2cf97a1 __fsopen 2 API calls 20844->20845 20846 2cf3a3c 20845->20846 20846->20652 20848 2cf3992 20847->20848 20849 2cfb1e8 20847->20849 20848->20839 20849->20848 20850 2cf2eb4 _free 59 API calls 20849->20850 20850->20848 20852 2cfb072 _doexit 20851->20852 20853 2cfb07f 20852->20853 20854 2cfb096 20852->20854 20855 2cf5d67 __read_nolock 59 API calls 20853->20855 20856 2cfb121 20854->20856 20858 2cfb0a6 20854->20858 20857 2cfb084 20855->20857 20859 2cf5d67 __read_nolock 59 API calls 20856->20859 20860 2cf5d9b __cftog_l 59 API calls 20857->20860 20861 2cfb0ce 20858->20861 20862 2cfb0c4 20858->20862 20863 2cfb0c9 20859->20863 20868 2cfb08b _doexit 20860->20868 20865 2d00bc7 ___lock_fhandle 60 API calls 20861->20865 20864 2cf5d67 __read_nolock 59 API calls 20862->20864 20866 2cf5d9b __cftog_l 59 API calls 20863->20866 20864->20863 20867 2cfb0d4 20865->20867 20869 2cfb12d 20866->20869 20870 2cfb0e7 20867->20870 20871 2cfb0f2 20867->20871 20868->20842 20874 2cf4e35 __cftog_l 9 API calls 20869->20874 20877 2cfb141 20870->20877 20873 2cf5d9b __cftog_l 59 API calls 20871->20873 20875 2cfb0ed 20873->20875 20874->20868 20892 2cfb119 20875->20892 20878 2d00e84 __close_nolock 59 API calls 20877->20878 20880 2cfb14f 20878->20880 20879 2cfb1a5 20895 2d00dfe 20879->20895 20880->20879 20881 2cfb183 20880->20881 20884 2d00e84 __close_nolock 59 API calls 20880->20884 20881->20879 20885 2d00e84 __close_nolock 59 API calls 20881->20885 20887 2cfb17a 20884->20887 20888 2cfb18f CloseHandle 20885->20888 20886 2cfb1cf 20886->20875 20890 2d00e84 __close_nolock 59 API calls 20887->20890 20888->20879 20891 2cfb19b GetLastError 20888->20891 20889 2cf5d7a __dosmaperr 59 API calls 20889->20886 20890->20881 20891->20879 20904 2d00f6d RtlLeaveCriticalSection 20892->20904 20894 2cfb11f 20894->20868 20896 2d00e6a 20895->20896 20897 2d00e0a 20895->20897 20898 2cf5d9b __cftog_l 59 API calls 20896->20898 20897->20896 20903 2d00e33 20897->20903 20899 2d00e6f 20898->20899 20900 2cf5d67 __read_nolock 59 API calls 20899->20900 20901 2cfb1ad 20900->20901 20901->20886 20901->20889 20902 2d00e55 SetStdHandle 20902->20901 20903->20901 20903->20902 20904->20894 20905 402225 20906 4022d9 RegSetValueExA RegCloseKey 20905->20906 20907 4022e8 SetEvent 20906->20907 20909 40b3d7 20907->20909 20910 40ba56 StartServiceCtrlDispatcherA 20909->20910 20911 40ba5d 20910->20911 20911->20911 20912 4026a6 OpenSCManagerA 20913 40278e 20912->20913 20914 401f27 20915 401f3c 20914->20915 20918 401a1d 20915->20918 20917 401f45 20919 401a2c 20918->20919 20924 401a4f CreateFileA 20919->20924 20923 401a3e 20923->20917 20925 401a35 20924->20925 20927 401a7d 20924->20927 20932 401b4b LoadLibraryA 20925->20932 20926 401a98 DeviceIoControl 20926->20927 20927->20926 20928 401b3a CloseHandle 20927->20928 20930 401b0e GetLastError 20927->20930 20941 402ba6 20927->20941 20944 402b98 20927->20944 20928->20925 20930->20927 20930->20928 20933 401c21 20932->20933 20934 401b6e GetProcAddress 20932->20934 20933->20923 20935 401c18 FreeLibrary 20934->20935 20937 401b85 20934->20937 20935->20933 20936 401b95 GetAdaptersInfo 20936->20937 20937->20936 20938 401c15 20937->20938 20939 402ba6 7 API calls 20937->20939 20940 402b98 12 API calls 20937->20940 20938->20935 20939->20937 20940->20937 20942 402f51 7 API calls 20941->20942 20943 402baf 20942->20943 20943->20927 20945 402eb1 12 API calls 20944->20945 20946 402ba3 20945->20946 20946->20927 20947 40b12b CreateDirectoryA 20948 40ba50 20947->20948 20949 40b5ec Sleep 20950 40ba9c 20949->20950 20951 2d471e7 20952 2d4bb98 WriteFile 20951->20952 20954 2d624d7 20952->20954 20955 40b13b 20956 40ba29 VirtualAlloc 20955->20956 20957 2d431af 20958 2d43b04 WriteFile 20957->20958 20960 4022bc 20961 40b0ce RegCreateKeyExA 20960->20961 20963 40223d GetLastError 20964 40b500 LoadLibraryExA 20963->20964 20965 40b3ff 20966 40b51b RegQueryValueExA 20965->20966

                                                                              Executed Functions

                                                                              Function 02CE72AB Relevance: 95.2, APIs: 41, Strings: 13, Instructions: 659networksleepfileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 2ce72ab-2ce72c3 InternetOpenA 1 2ce7389-2ce738f 0->1 2 2ce72c9-2ce731d InternetSetOptionA * 3 call 2cf4a30 0->2 3 2ce73ab-2ce73b9 1->3 4 2ce7391-2ce7397 1->4 10 2ce7322-2ce7340 InternetOpenUrlA 2->10 8 2ce73bf-2ce73e3 call 2cf4a30 call 2ce439c 3->8 9 2ce66f4-2ce66f6 3->9 6 2ce739d-2ce73aa call 2ce53ec 4->6 7 2ce7399-2ce739b 4->7 6->3 7->3 8->9 33 2ce73e9-2ce7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf227c 8->33 13 2ce66ff-2ce6701 9->13 14 2ce66f8-2ce66fd 9->14 15 2ce7382-2ce7383 InternetCloseHandle 10->15 16 2ce7342 10->16 18 2ce670e-2ce6742 RtlEnterCriticalSection RtlLeaveCriticalSection 13->18 19 2ce6703 13->19 21 2ce6708 Sleep 14->21 15->1 22 2ce7346-2ce736c InternetReadFile 16->22 23 2ce6744-2ce6750 18->23 24 2ce6792 18->24 19->21 21->18 26 2ce736e-2ce7375 22->26 27 2ce7377-2ce737e InternetCloseHandle 22->27 23->24 28 2ce6752-2ce675f 23->28 29 2ce6796 24->29 26->22 27->15 31 2ce6767-2ce6768 28->31 32 2ce6761-2ce6765 28->32 29->0 34 2ce676c-2ce6790 call 2cf4a30 * 2 31->34 32->34 38 2ce746d-2ce7488 call 2cf227c 33->38 39 2ce7419-2ce742b call 2cf227c 33->39 34->29 47 2ce748e-2ce7490 38->47 48 2ce7742-2ce7754 call 2cf227c 38->48 39->38 49 2ce742d-2ce743f call 2cf227c 39->49 47->48 50 2ce7496-2ce7548 call 2cf2eec RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf4a30 * 5 call 2ce439c * 2 47->50 57 2ce779d-2ce77a6 call 2cf227c 48->57 58 2ce7756-2ce7758 48->58 49->38 59 2ce7441-2ce7453 call 2cf227c 49->59 112 2ce754a-2ce754c 50->112 113 2ce7585 50->113 66 2ce77ab-2ce77af 57->66 58->57 61 2ce775a-2ce7798 call 2cf4a30 RtlEnterCriticalSection RtlLeaveCriticalSection 58->61 59->38 72 2ce7455-2ce7467 call 2cf227c 59->72 61->9 70 2ce77d0-2ce77e2 call 2cf227c 66->70 71 2ce77b1-2ce77bf call 2ce61f5 call 2ce6303 66->71 81 2ce77e8-2ce77ea 70->81 82 2ce7b00-2ce7b12 call 2cf227c 70->82 88 2ce77c4-2ce77cb call 2ce640e 71->88 72->9 72->38 81->82 86 2ce77f0-2ce7807 call 2ce439c 81->86 82->9 94 2ce7b18-2ce7b46 call 2cf2eec call 2cf4a30 call 2ce439c 82->94 86->9 98 2ce780d-2ce78db call 2cf2358 call 2ce1ba7 86->98 88->9 120 2ce7b4f-2ce7b56 call 2cf2eb4 94->120 121 2ce7b48-2ce7b4a call 2ce534d 94->121 115 2ce78dd call 2ce143f 98->115 116 2ce78e2-2ce7903 RtlEnterCriticalSection 98->116 112->113 119 2ce754e-2ce7560 call 2cf227c 112->119 122 2ce7589-2ce75b7 call 2cf2eec call 2cf4a30 call 2ce439c 113->122 115->116 117 2ce790f-2ce7973 RtlLeaveCriticalSection call 2ce3c67 call 2ce3d7e call 2ce826e 116->117 118 2ce7905-2ce790c 116->118 146 2ce7979-2ce79c1 call 2cea658 117->146 147 2ce7ae7-2ce7afb call 2ce8f36 117->147 118->117 119->113 134 2ce7562-2ce7583 call 2ce439c 119->134 120->9 121->120 144 2ce75f8-2ce7601 call 2cf2eb4 122->144 145 2ce75b9-2ce75c8 call 2cf3529 122->145 134->122 159 2ce7738-2ce773b 144->159 160 2ce7607-2ce761f call 2cf3a8f 144->160 145->144 156 2ce75ca 145->156 157 2ce79c7-2ce79ce 146->157 158 2ce7ab1-2ce7ae2 call 2ce831d call 2ce33b2 146->158 147->9 162 2ce75cf-2ce75e1 call 2cf2790 156->162 164 2ce79d1-2ce79d6 157->164 158->147 159->48 169 2ce762b 160->169 170 2ce7621-2ce7629 call 2ce966a 160->170 176 2ce75e6-2ce75f6 call 2cf3529 162->176 177 2ce75e3 162->177 164->164 168 2ce79d8-2ce7a23 call 2cea658 164->168 168->158 179 2ce7a29-2ce7a2f 168->179 175 2ce762d-2ce76e5 call 2cea782 call 2ce3863 call 2ce5119 call 2ce3863 call 2ceaa28 call 2ceab42 169->175 170->175 202 2ce76ec-2ce76fb Sleep 175->202 203 2ce76e7 call 2ce380b 175->203 176->144 176->162 177->176 183 2ce7a32-2ce7a37 179->183 183->183 186 2ce7a39-2ce7a74 call 2cea658 183->186 186->158 192 2ce7a76-2ce7ab0 call 2ced04a 186->192 192->158 205 2ce7703-2ce7717 call 2cf1830 202->205 203->202 207 2ce7719-2ce7722 call 2ce4100 205->207 208 2ce7723-2ce7731 205->208 207->208 208->159 210 2ce7733 call 2ce380b 208->210 210->159
                                                                              APIs
                                                                              • Sleep.KERNELBASE(0000EA60), ref: 02CE6708
                                                                              • RtlEnterCriticalSection.NTDLL(02D171B8), ref: 02CE6713
                                                                              • RtlLeaveCriticalSection.NTDLL(02D171B8), ref: 02CE6724
                                                                              • _memset.LIBCMT ref: 02CE6779
                                                                              • _memset.LIBCMT ref: 02CE6788
                                                                              • InternetOpenA.WININET(?), ref: 02CE72B5
                                                                              • InternetSetOptionA.WININET(00000000,00000002,?), ref: 02CE72DD
                                                                              • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02CE72F5
                                                                              • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02CE730D
                                                                              • _memset.LIBCMT ref: 02CE731D
                                                                              • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 02CE7336
                                                                              • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02CE7358
                                                                              • InternetCloseHandle.WININET(00000000), ref: 02CE7378
                                                                              • InternetCloseHandle.WININET(00000000), ref: 02CE7383
                                                                              • _memset.LIBCMT ref: 02CE73CB
                                                                              • RtlEnterCriticalSection.NTDLL(02D171B8), ref: 02CE73EE
                                                                              • RtlLeaveCriticalSection.NTDLL(02D171B8), ref: 02CE73FF
                                                                              • _malloc.LIBCMT ref: 02CE7498
                                                                              • RtlEnterCriticalSection.NTDLL(02D171B8), ref: 02CE74AA
                                                                              • RtlLeaveCriticalSection.NTDLL(02D171B8), ref: 02CE74B6
                                                                              • _memset.LIBCMT ref: 02CE74D0
                                                                              • _memset.LIBCMT ref: 02CE74DF
                                                                              • _memset.LIBCMT ref: 02CE74EF
                                                                              • _memset.LIBCMT ref: 02CE7502
                                                                              • _memset.LIBCMT ref: 02CE7518
                                                                              • _malloc.LIBCMT ref: 02CE758E
                                                                              • _memset.LIBCMT ref: 02CE759F
                                                                              • _strtok.LIBCMT ref: 02CE75BF
                                                                              • _swscanf.LIBCMT ref: 02CE75D6
                                                                              • _strtok.LIBCMT ref: 02CE75ED
                                                                              • _free.LIBCMT ref: 02CE75F9
                                                                              • Sleep.KERNEL32(000007D0), ref: 02CE76F1
                                                                              • _memset.LIBCMT ref: 02CE7765
                                                                              • RtlEnterCriticalSection.NTDLL(02D171B8), ref: 02CE7772
                                                                              • RtlLeaveCriticalSection.NTDLL(02D171B8), ref: 02CE7784
                                                                              • _sprintf.LIBCMT ref: 02CE7822
                                                                              • RtlEnterCriticalSection.NTDLL(00000020), ref: 02CE78E6
                                                                              • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02CE791A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _memset$CriticalSection$Internet$EnterLeave$Option$CloseHandleOpenSleep_malloc_strtok$FileRead_free_sprintf_swscanf
                                                                              • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
                                                                              • API String ID: 696907137-1839899575
                                                                              • Opcode ID: b168efe3366abea5451026053ccb2b570f8e0c819f83d0f9ff208afa43581901
                                                                              • Instruction ID: 95cc32999d32809c4614a8d274323bb510953122e4c0c67ef28d061774290967
                                                                              • Opcode Fuzzy Hash: b168efe3366abea5451026053ccb2b570f8e0c819f83d0f9ff208afa43581901
                                                                              • Instruction Fuzzy Hash: D4320331548381AFEB74AB64D841BAFB7E6EFD5310F10081DF58A972A0EB719908CB53
                                                                              Function 02CE648B Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 228memorysleeplibraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 473 2ce648b-2ce66f1 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 2ce42c7 GetTickCount call 2ce605a GetVersionExA call 2cf4a30 call 2cf2eec * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2cf4a30 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf2eec * 4 QueryPerformanceCounter Sleep call 2cf2eec * 2 call 2cf4a30 * 2 518 2ce66f4-2ce66f6 473->518 519 2ce66ff-2ce6701 518->519 520 2ce66f8-2ce66fd 518->520 521 2ce670e-2ce6742 RtlEnterCriticalSection RtlLeaveCriticalSection 519->521 522 2ce6703 519->522 523 2ce6708 Sleep 520->523 524 2ce6744-2ce6750 521->524 525 2ce6792 521->525 522->523 523->521 524->525 526 2ce6752-2ce675f 524->526 527 2ce6796-2ce72c3 InternetOpenA 525->527 528 2ce6767-2ce6768 526->528 529 2ce6761-2ce6765 526->529 532 2ce7389-2ce738f 527->532 533 2ce72c9-2ce7340 InternetSetOptionA * 3 call 2cf4a30 InternetOpenUrlA 527->533 531 2ce676c-2ce6790 call 2cf4a30 * 2 528->531 529->531 531->527 534 2ce73ab-2ce73b9 532->534 535 2ce7391-2ce7397 532->535 546 2ce7382-2ce7383 InternetCloseHandle 533->546 547 2ce7342 533->547 534->518 541 2ce73bf-2ce73e3 call 2cf4a30 call 2ce439c 534->541 538 2ce739d-2ce73aa call 2ce53ec 535->538 539 2ce7399-2ce739b 535->539 538->534 539->534 541->518 556 2ce73e9-2ce7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf227c 541->556 546->532 551 2ce7346-2ce736c InternetReadFile 547->551 553 2ce736e-2ce7375 551->553 554 2ce7377-2ce737e InternetCloseHandle 551->554 553->551 554->546 559 2ce746d-2ce7488 call 2cf227c 556->559 560 2ce7419-2ce742b call 2cf227c 556->560 565 2ce748e-2ce7490 559->565 566 2ce7742-2ce7754 call 2cf227c 559->566 560->559 567 2ce742d-2ce743f call 2cf227c 560->567 565->566 568 2ce7496-2ce7548 call 2cf2eec RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf4a30 * 5 call 2ce439c * 2 565->568 575 2ce779d-2ce77af call 2cf227c 566->575 576 2ce7756-2ce7758 566->576 567->559 577 2ce7441-2ce7453 call 2cf227c 567->577 630 2ce754a-2ce754c 568->630 631 2ce7585 568->631 588 2ce77d0-2ce77e2 call 2cf227c 575->588 589 2ce77b1-2ce77bf call 2ce61f5 call 2ce6303 575->589 576->575 579 2ce775a-2ce7798 call 2cf4a30 RtlEnterCriticalSection RtlLeaveCriticalSection 576->579 577->559 590 2ce7455-2ce7467 call 2cf227c 577->590 579->518 599 2ce77e8-2ce77ea 588->599 600 2ce7b00-2ce7b12 call 2cf227c 588->600 606 2ce77c4-2ce77cb call 2ce640e 589->606 590->518 590->559 599->600 604 2ce77f0-2ce7807 call 2ce439c 599->604 600->518 612 2ce7b18-2ce7b46 call 2cf2eec call 2cf4a30 call 2ce439c 600->612 604->518 616 2ce780d-2ce78db call 2cf2358 call 2ce1ba7 604->616 606->518 638 2ce7b4f-2ce7b56 call 2cf2eb4 612->638 639 2ce7b48-2ce7b4a call 2ce534d 612->639 633 2ce78dd call 2ce143f 616->633 634 2ce78e2-2ce7903 RtlEnterCriticalSection 616->634 630->631 637 2ce754e-2ce7560 call 2cf227c 630->637 640 2ce7589-2ce75b7 call 2cf2eec call 2cf4a30 call 2ce439c 631->640 633->634 635 2ce790f-2ce7973 RtlLeaveCriticalSection call 2ce3c67 call 2ce3d7e call 2ce826e 634->635 636 2ce7905-2ce790c 634->636 664 2ce7979-2ce79c1 call 2cea658 635->664 665 2ce7ae7-2ce7afb call 2ce8f36 635->665 636->635 637->631 652 2ce7562-2ce7583 call 2ce439c 637->652 638->518 639->638 662 2ce75f8-2ce7601 call 2cf2eb4 640->662 663 2ce75b9-2ce75c8 call 2cf3529 640->663 652->640 677 2ce7738-2ce773b 662->677 678 2ce7607-2ce761f call 2cf3a8f 662->678 663->662 674 2ce75ca 663->674 675 2ce79c7-2ce79ce 664->675 676 2ce7ab1-2ce7ae2 call 2ce831d call 2ce33b2 664->676 665->518 680 2ce75cf-2ce75e1 call 2cf2790 674->680 682 2ce79d1-2ce79d6 675->682 676->665 677->566 687 2ce762b 678->687 688 2ce7621-2ce7629 call 2ce966a 678->688 694 2ce75e6-2ce75f6 call 2cf3529 680->694 695 2ce75e3 680->695 682->682 686 2ce79d8-2ce7a23 call 2cea658 682->686 686->676 697 2ce7a29-2ce7a2f 686->697 693 2ce762d-2ce76e5 call 2cea782 call 2ce3863 call 2ce5119 call 2ce3863 call 2ceaa28 call 2ceab42 687->693 688->693 720 2ce76ec-2ce7717 Sleep call 2cf1830 693->720 721 2ce76e7 call 2ce380b 693->721 694->662 694->680 695->694 701 2ce7a32-2ce7a37 697->701 701->701 704 2ce7a39-2ce7a74 call 2cea658 701->704 704->676 710 2ce7a76-2ce7ab0 call 2ced04a 704->710 710->676 725 2ce7719-2ce7722 call 2ce4100 720->725 726 2ce7723-2ce7731 720->726 721->720 725->726 726->677 728 2ce7733 call 2ce380b 726->728 728->677
                                                                              APIs
                                                                              • RtlInitializeCriticalSection.NTDLL(02D171B8), ref: 02CE64BA
                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02CE64D1
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02CE64DA
                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02CE64E9
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02CE64EC
                                                                              • GetTickCount.KERNEL32 ref: 02CE64F8
                                                                                • Part of subcall function 02CE605A: _malloc.LIBCMT ref: 02CE6068
                                                                              • GetVersionExA.KERNEL32(02D17010), ref: 02CE6525
                                                                              • _memset.LIBCMT ref: 02CE6544
                                                                              • _malloc.LIBCMT ref: 02CE6551
                                                                                • Part of subcall function 02CF2EEC: __FF_MSGBANNER.LIBCMT ref: 02CF2F03
                                                                                • Part of subcall function 02CF2EEC: __NMSG_WRITE.LIBCMT ref: 02CF2F0A
                                                                                • Part of subcall function 02CF2EEC: RtlAllocateHeap.NTDLL(00880000,00000000,00000001), ref: 02CF2F2F
                                                                              • _malloc.LIBCMT ref: 02CE6561
                                                                              • _malloc.LIBCMT ref: 02CE656C
                                                                              • _malloc.LIBCMT ref: 02CE6577
                                                                              • _malloc.LIBCMT ref: 02CE6582
                                                                              • _malloc.LIBCMT ref: 02CE658D
                                                                              • _malloc.LIBCMT ref: 02CE6598
                                                                              • _malloc.LIBCMT ref: 02CE65A7
                                                                              • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02CE65BE
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02CE65C7
                                                                              • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02CE65D6
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02CE65D9
                                                                              • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02CE65E4
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02CE65E7
                                                                              • _memset.LIBCMT ref: 02CE65FA
                                                                              • _memset.LIBCMT ref: 02CE6606
                                                                              • _memset.LIBCMT ref: 02CE6613
                                                                              • RtlEnterCriticalSection.NTDLL(02D171B8), ref: 02CE6621
                                                                              • RtlLeaveCriticalSection.NTDLL(02D171B8), ref: 02CE662E
                                                                              • _malloc.LIBCMT ref: 02CE6652
                                                                              • _malloc.LIBCMT ref: 02CE6660
                                                                              • _malloc.LIBCMT ref: 02CE6667
                                                                              • _malloc.LIBCMT ref: 02CE668D
                                                                              • QueryPerformanceCounter.KERNEL32(00000200), ref: 02CE66A0
                                                                              • Sleep.KERNELBASE ref: 02CE66AE
                                                                              • _malloc.LIBCMT ref: 02CE66BA
                                                                              • _malloc.LIBCMT ref: 02CE66C7
                                                                              • _memset.LIBCMT ref: 02CE66DC
                                                                              • _memset.LIBCMT ref: 02CE66EC
                                                                              • Sleep.KERNELBASE(0000EA60), ref: 02CE6708
                                                                              • RtlEnterCriticalSection.NTDLL(02D171B8), ref: 02CE6713
                                                                              • RtlLeaveCriticalSection.NTDLL(02D171B8), ref: 02CE6724
                                                                              • _memset.LIBCMT ref: 02CE6779
                                                                              • _memset.LIBCMT ref: 02CE6788
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _malloc$_memset$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                              • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                              • API String ID: 2251652938-2678694477
                                                                              • Opcode ID: 2fc7ae0457463f319f34f89de218540d261bc0fac19f4535f570974f4f648dd3
                                                                              • Instruction ID: ab2af326e6ce7828552fdf5197e3ca756ea38e6e0005f5e655a98032dc703b05
                                                                              • Opcode Fuzzy Hash: 2fc7ae0457463f319f34f89de218540d261bc0fac19f4535f570974f4f648dd3
                                                                              • Instruction Fuzzy Hash: 9A718271D94340AFE350AF70AC45B6BBBE9AF45710F210819FA8597390EBB45C00DF96
                                                                              Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 731 401b4b-401b68 LoadLibraryA 732 401c21-401c25 731->732 733 401b6e-401b7f GetProcAddress 731->733 734 401b85-401b8e 733->734 735 401c18-401c1b FreeLibrary 733->735 736 401b95-401ba5 GetAdaptersInfo 734->736 735->732 737 401ba7-401bb0 736->737 738 401bdb-401be3 736->738 739 401bc1-401bd7 call 402bc0 call 4018cc 737->739 740 401bb2-401bb6 737->740 741 401be5-401beb call 402ba6 738->741 742 401bec-401bf0 738->742 739->738 740->738 745 401bb8-401bbf 740->745 741->742 743 401bf2-401bf6 742->743 744 401c15-401c17 742->744 743->744 748 401bf8-401bfb 743->748 744->735 745->739 745->740 751 401c06-401c13 call 402b98 748->751 752 401bfd-401c03 748->752 751->736 751->744 752->751
                                                                              APIs
                                                                              • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                              • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                              • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                              • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                              • API String ID: 514930453-3667123677
                                                                              • Opcode ID: 4786119c2dd8152e4b47b2a924d6ecb004799f19bdb0843ab8028876a5fcac46
                                                                              • Instruction ID: 9300e3b8f0653b0f10764aaa79a1f2494f67c894d04353eb45b18fdb2f867aae
                                                                              • Opcode Fuzzy Hash: 4786119c2dd8152e4b47b2a924d6ecb004799f19bdb0843ab8028876a5fcac46
                                                                              • Instruction Fuzzy Hash: 9621B870944109AFEF11DF65C944BEF7BB8EF41344F1440BAE504B22E1E778A985CB69
                                                                              Function 02CEF8DA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87libraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 782 2cef8da-2cef8fd LoadLibraryA 783 2cef9bd-2cef9c4 782->783 784 2cef903-2cef911 GetProcAddress 782->784 785 2cef9b6-2cef9b7 FreeLibrary 784->785 786 2cef917-2cef927 784->786 785->783 787 2cef929-2cef935 GetAdaptersInfo 786->787 788 2cef96d-2cef975 787->788 789 2cef937 787->789 790 2cef97e-2cef983 788->790 791 2cef977-2cef97d call 2cf36eb 788->791 792 2cef939-2cef940 789->792 794 2cef985-2cef988 790->794 795 2cef9b1-2cef9b5 790->795 791->790 796 2cef94a-2cef952 792->796 797 2cef942-2cef946 792->797 794->795 799 2cef98a-2cef98f 794->799 795->785 801 2cef955-2cef95a 796->801 797->792 800 2cef948 797->800 802 2cef99c-2cef9a7 call 2cf3a8f 799->802 803 2cef991-2cef999 799->803 800->788 801->801 804 2cef95c-2cef969 call 2cef629 801->804 802->795 809 2cef9a9-2cef9ac 802->809 803->802 804->788 809->787
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02CEF8F0
                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02CEF909
                                                                              • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02CEF92E
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 02CEF9B7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                              • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                              • API String ID: 514930453-3114217049
                                                                              • Opcode ID: 7ba8b9a16065ddd4152d0f60009fd7b6d131962d5b4f48079a277b1d0aae67cc
                                                                              • Instruction ID: cc487cad1648f0235033a851e78b8394a7e1bafb11e64a33c377472c1b0cf101
                                                                              • Opcode Fuzzy Hash: 7ba8b9a16065ddd4152d0f60009fd7b6d131962d5b4f48079a277b1d0aae67cc
                                                                              • Instruction Fuzzy Hash: 6721B971E04209ABDF10DFB9D8807EEBBB9DF55310F1440AED586E7641D7309A45CBA4
                                                                              Function 02CEF7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 810 2cef7d6-2cef801 CreateFileA 811 2cef807-2cef81c 810->811 812 2cef8d2-2cef8d9 810->812 813 2cef81f-2cef841 DeviceIoControl 811->813 814 2cef87a-2cef882 813->814 815 2cef843-2cef84b 813->815 818 2cef88b-2cef88d 814->818 819 2cef884-2cef88a call 2cf36eb 814->819 816 2cef84d-2cef852 815->816 817 2cef854-2cef859 815->817 816->814 817->814 820 2cef85b-2cef863 817->820 822 2cef88f-2cef892 818->822 823 2cef8c8-2cef8d1 CloseHandle 818->823 819->818 824 2cef866-2cef86b 820->824 826 2cef8ae-2cef8bb call 2cf3a8f 822->826 827 2cef894-2cef89d GetLastError 822->827 823->812 824->824 830 2cef86d-2cef879 call 2cef629 824->830 826->823 834 2cef8bd-2cef8c3 826->834 827->823 828 2cef89f-2cef8a2 827->828 828->826 831 2cef8a4-2cef8ab 828->831 830->814 831->826 834->813
                                                                              APIs
                                                                              • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02CEF7F5
                                                                              • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02CEF833
                                                                              • GetLastError.KERNEL32 ref: 02CEF894
                                                                              • CloseHandle.KERNELBASE(?), ref: 02CEF8CB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                              • String ID: \\.\PhysicalDrive0
                                                                              • API String ID: 4026078076-1180397377
                                                                              • Opcode ID: ba74e8a8aeddc57e1ad656d9e0d79ea6ad8cc0aab719d5a02c6cd64dbc3a4679
                                                                              • Instruction ID: 6a56d2882959106194235364ac377f79c71b6126a378a11035f7823267282ce9
                                                                              • Opcode Fuzzy Hash: ba74e8a8aeddc57e1ad656d9e0d79ea6ad8cc0aab719d5a02c6cd64dbc3a4679
                                                                              • Instruction Fuzzy Hash: 0231E071D00219ABDF24CF95D894BAEBBB8FF46710F20426EE516A7680C7705F01CB90
                                                                              Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 836 401a4f-401a77 CreateFileA 837 401b45-401b4a 836->837 838 401a7d-401a91 836->838 839 401a98-401ac0 DeviceIoControl 838->839 840 401ac2-401aca 839->840 841 401af3-401afb 839->841 842 401ad4-401ad9 840->842 843 401acc-401ad2 840->843 844 401b04-401b07 841->844 845 401afd-401b03 call 402ba6 841->845 842->841 848 401adb-401af1 call 402bc0 call 4018cc 842->848 843->841 846 401b09-401b0c 844->846 847 401b3a-401b44 CloseHandle 844->847 845->844 850 401b27-401b34 call 402b98 846->850 851 401b0e-401b17 GetLastError 846->851 847->837 848->841 850->839 850->847 851->847 854 401b19-401b1c 851->854 854->850 857 401b1e-401b24 854->857 857->850
                                                                              APIs
                                                                              • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                              • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                              • GetLastError.KERNEL32 ref: 00401B0E
                                                                              • CloseHandle.KERNELBASE(?), ref: 00401B3D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                              • String ID: \\.\PhysicalDrive0
                                                                              • API String ID: 4026078076-1180397377
                                                                              • Opcode ID: a2e68a95d94bbc6a40bee8a11280b17da373fae52957672b226b91710cefcd17
                                                                              • Instruction ID: c07866d4b4e887281577b2397114bebd63d98cfae9bba907e2345ee80fd6f57b
                                                                              • Opcode Fuzzy Hash: a2e68a95d94bbc6a40bee8a11280b17da373fae52957672b226b91710cefcd17
                                                                              • Instruction Fuzzy Hash: 00316D71D01118EACB21EFA5CD849EFBBB9FF41750F20417AE515B22A0E3786E45CB98
                                                                              Function 0040224F Relevance: 4.5, APIs: 3, Instructions: 22stringCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 891 40224f-40ba81 lstrcmpiW 893 40ba87 call 4024d3 891->893 894 40b9ff-40ba5c StartServiceCtrlDispatcherA 891->894 897 40ba8c-40ba8e 893->897 900 40ba5d 894->900 898 40ba94 897->898 899 4022e8-40b3d7 SetEvent call 4022cb 897->899 899->894 900->900
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: CtrlDispatcherEventServiceStartlstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 3665080917-0
                                                                              • Opcode ID: a2952c6a3fbd28e0accaa57e844d030e981a787fc7a1bb76611cec4b22fde3e1
                                                                              • Instruction ID: 969fb6242b90c18dc11a1844badb58636817ec9d1214cc78876ef9f551083592
                                                                              • Opcode Fuzzy Hash: a2952c6a3fbd28e0accaa57e844d030e981a787fc7a1bb76611cec4b22fde3e1
                                                                              • Instruction Fuzzy Hash: 0DE04670908106EACA00EBA28E4966A366CEA08314721447BE507B01E1D73C8516BAAF
                                                                              Function 02CE6429 Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 231memorylibraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 213 2ce6429-2ce643f 214 2ce64a4-2ce64ec RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 213->214 215 2ce6441-2ce6444 213->215 216 2ce64f3-2ce66f1 GetTickCount call 2ce605a GetVersionExA call 2cf4a30 call 2cf2eec * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2cf4a30 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf2eec * 4 QueryPerformanceCounter Sleep call 2cf2eec * 2 call 2cf4a30 * 2 214->216 217 2ce64ee call 2ce42c7 214->217 215->214 260 2ce66f4-2ce66f6 216->260 217->216 261 2ce66ff-2ce6701 260->261 262 2ce66f8-2ce66fd 260->262 263 2ce670e-2ce6742 RtlEnterCriticalSection RtlLeaveCriticalSection 261->263 264 2ce6703 261->264 265 2ce6708 Sleep 262->265 266 2ce6744-2ce6750 263->266 267 2ce6792 263->267 264->265 265->263 266->267 268 2ce6752-2ce675f 266->268 269 2ce6796-2ce72c3 InternetOpenA 267->269 270 2ce6767-2ce6768 268->270 271 2ce6761-2ce6765 268->271 274 2ce7389-2ce738f 269->274 275 2ce72c9-2ce7340 InternetSetOptionA * 3 call 2cf4a30 InternetOpenUrlA 269->275 273 2ce676c-2ce6790 call 2cf4a30 * 2 270->273 271->273 273->269 276 2ce73ab-2ce73b9 274->276 277 2ce7391-2ce7397 274->277 288 2ce7382-2ce7383 InternetCloseHandle 275->288 289 2ce7342 275->289 276->260 283 2ce73bf-2ce73e3 call 2cf4a30 call 2ce439c 276->283 280 2ce739d-2ce73aa call 2ce53ec 277->280 281 2ce7399-2ce739b 277->281 280->276 281->276 283->260 298 2ce73e9-2ce7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf227c 283->298 288->274 293 2ce7346-2ce736c InternetReadFile 289->293 295 2ce736e-2ce7375 293->295 296 2ce7377-2ce737e InternetCloseHandle 293->296 295->293 296->288 301 2ce746d-2ce7488 call 2cf227c 298->301 302 2ce7419-2ce742b call 2cf227c 298->302 307 2ce748e-2ce7490 301->307 308 2ce7742-2ce7754 call 2cf227c 301->308 302->301 309 2ce742d-2ce743f call 2cf227c 302->309 307->308 310 2ce7496-2ce7548 call 2cf2eec RtlEnterCriticalSection RtlLeaveCriticalSection call 2cf4a30 * 5 call 2ce439c * 2 307->310 317 2ce779d-2ce77af call 2cf227c 308->317 318 2ce7756-2ce7758 308->318 309->301 319 2ce7441-2ce7453 call 2cf227c 309->319 372 2ce754a-2ce754c 310->372 373 2ce7585 310->373 330 2ce77d0-2ce77e2 call 2cf227c 317->330 331 2ce77b1-2ce77cb call 2ce61f5 call 2ce6303 call 2ce640e 317->331 318->317 321 2ce775a-2ce7798 call 2cf4a30 RtlEnterCriticalSection RtlLeaveCriticalSection 318->321 319->301 332 2ce7455-2ce7467 call 2cf227c 319->332 321->260 341 2ce77e8-2ce77ea 330->341 342 2ce7b00-2ce7b12 call 2cf227c 330->342 331->260 332->260 332->301 341->342 346 2ce77f0-2ce7807 call 2ce439c 341->346 342->260 354 2ce7b18-2ce7b46 call 2cf2eec call 2cf4a30 call 2ce439c 342->354 346->260 358 2ce780d-2ce78db call 2cf2358 call 2ce1ba7 346->358 380 2ce7b4f-2ce7b56 call 2cf2eb4 354->380 381 2ce7b48-2ce7b4a call 2ce534d 354->381 375 2ce78dd call 2ce143f 358->375 376 2ce78e2-2ce7903 RtlEnterCriticalSection 358->376 372->373 379 2ce754e-2ce7560 call 2cf227c 372->379 382 2ce7589-2ce75b7 call 2cf2eec call 2cf4a30 call 2ce439c 373->382 375->376 377 2ce790f-2ce7973 RtlLeaveCriticalSection call 2ce3c67 call 2ce3d7e call 2ce826e 376->377 378 2ce7905-2ce790c 376->378 406 2ce7979-2ce79c1 call 2cea658 377->406 407 2ce7ae7-2ce7afb call 2ce8f36 377->407 378->377 379->373 394 2ce7562-2ce7583 call 2ce439c 379->394 380->260 381->380 404 2ce75f8-2ce7601 call 2cf2eb4 382->404 405 2ce75b9-2ce75c8 call 2cf3529 382->405 394->382 419 2ce7738-2ce773b 404->419 420 2ce7607-2ce761f call 2cf3a8f 404->420 405->404 416 2ce75ca 405->416 417 2ce79c7-2ce79ce 406->417 418 2ce7ab1-2ce7ae2 call 2ce831d call 2ce33b2 406->418 407->260 422 2ce75cf-2ce75e1 call 2cf2790 416->422 424 2ce79d1-2ce79d6 417->424 418->407 419->308 429 2ce762b 420->429 430 2ce7621-2ce7629 call 2ce966a 420->430 436 2ce75e6-2ce75f6 call 2cf3529 422->436 437 2ce75e3 422->437 424->424 428 2ce79d8-2ce7a23 call 2cea658 424->428 428->418 439 2ce7a29-2ce7a2f 428->439 435 2ce762d-2ce76e5 call 2cea782 call 2ce3863 call 2ce5119 call 2ce3863 call 2ceaa28 call 2ceab42 429->435 430->435 462 2ce76ec-2ce7717 Sleep call 2cf1830 435->462 463 2ce76e7 call 2ce380b 435->463 436->404 436->422 437->436 443 2ce7a32-2ce7a37 439->443 443->443 446 2ce7a39-2ce7a74 call 2cea658 443->446 446->418 452 2ce7a76-2ce7ab0 call 2ced04a 446->452 452->418 467 2ce7719-2ce7722 call 2ce4100 462->467 468 2ce7723-2ce7731 462->468 463->462 467->468 468->419 470 2ce7733 call 2ce380b 468->470 470->419
                                                                              APIs
                                                                              • RtlInitializeCriticalSection.NTDLL(02D171B8), ref: 02CE64BA
                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02CE64D1
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02CE64DA
                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02CE64E9
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02CE64EC
                                                                              • GetTickCount.KERNEL32 ref: 02CE64F8
                                                                              • GetVersionExA.KERNEL32(02D17010), ref: 02CE6525
                                                                              • _memset.LIBCMT ref: 02CE6544
                                                                              • _malloc.LIBCMT ref: 02CE6551
                                                                              • _malloc.LIBCMT ref: 02CE6561
                                                                              • _malloc.LIBCMT ref: 02CE656C
                                                                              • _malloc.LIBCMT ref: 02CE6577
                                                                              • _malloc.LIBCMT ref: 02CE6582
                                                                              • _malloc.LIBCMT ref: 02CE658D
                                                                              • _malloc.LIBCMT ref: 02CE6598
                                                                              • _malloc.LIBCMT ref: 02CE65A7
                                                                              • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02CE65BE
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02CE65C7
                                                                              • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02CE65D6
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02CE65D9
                                                                              • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02CE65E4
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02CE65E7
                                                                              • _memset.LIBCMT ref: 02CE65FA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _malloc$Heap$AllocateProcess$AddressHandleModuleProc_memset$CountCriticalInitializeSectionTickVersion
                                                                              • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                              • API String ID: 3095297975-2678694477
                                                                              • Opcode ID: 9a456483e56b7994f78a5e84393c33920da82fedbe89d21ca6131501fdf42eea
                                                                              • Instruction ID: e14225324a81727b2793900f0237b43b8e7b57cbbbf8ab2a3e9a597d22a406ab
                                                                              • Opcode Fuzzy Hash: 9a456483e56b7994f78a5e84393c33920da82fedbe89d21ca6131501fdf42eea
                                                                              • Instruction Fuzzy Hash: 4F71A1B1D85340AFE350AF70AC45B6BBBE9EF85310F21081AFA459B350EBB45800DF96
                                                                              Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 757 401f64-401f84 FindResourceA 758 401f86-401f9d GetLastError SizeofResource 757->758 759 401f9f-401fa1 757->759 758->759 760 401fa6-401fec LoadResource LockResource GlobalAlloc call 402800 * 2 758->760 761 402096-40209a 759->761 766 401fee-401ff9 760->766 766->766 767 401ffb-402003 GetTickCount 766->767 768 402032-402038 767->768 769 402005-402007 767->769 770 402053-402083 GlobalAlloc call 401c26 768->770 772 40203a-40204a 768->772 769->770 771 402009-40200f 769->771 777 402088-402093 770->777 771->770 774 402011-402023 771->774 775 40204c 772->775 776 40204e-402051 772->776 778 402025 774->778 779 402027-40202a 774->779 775->776 776->770 776->772 777->761 778->779 779->774 780 40202c-40202e 779->780 780->771 781 402030 780->781 781->770
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                              • GetLastError.KERNEL32 ref: 00401F86
                                                                              • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                              • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                              • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                              • GlobalAlloc.KERNELBASE(00000040,00000000), ref: 00401FBF
                                                                              • GetTickCount.KERNEL32 ref: 00401FFB
                                                                              • GlobalAlloc.KERNELBASE(00000040,?), ref: 00402061
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                              • String ID:
                                                                              • API String ID: 564119183-0
                                                                              • Opcode ID: c339dbb3d4f54c4bfe23240511e1faf338c1a50a53de60f6f0a2310917010a4d
                                                                              • Instruction ID: 3f373f2fe47a9e58058ec223940fe379f908771e1a31376a549d0366c6000c22
                                                                              • Opcode Fuzzy Hash: c339dbb3d4f54c4bfe23240511e1faf338c1a50a53de60f6f0a2310917010a4d
                                                                              • Instruction Fuzzy Hash: D0314C32A402516FDB109FB99E889AF7FB8EF45344B10807AFA46F7291D6748841C7A8
                                                                              Function 00402D60 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetVersion.KERNEL32 ref: 00402D86
                                                                                • Part of subcall function 004039F0: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402DBF,00000000), ref: 00403A01
                                                                                • Part of subcall function 004039F0: HeapDestroy.KERNEL32 ref: 00403A40
                                                                              • GetCommandLineA.KERNEL32 ref: 00402DD4
                                                                              • GetStartupInfoA.KERNEL32(?), ref: 00402DFF
                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402E22
                                                                                • Part of subcall function 00402E7B: ExitProcess.KERNEL32 ref: 00402E98
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                              • String ID:
                                                                              • API String ID: 2057626494-0
                                                                              • Opcode ID: 9e286e5f9a377e3797ece88135c359dedbbb575cc14907a13f37508a60b21901
                                                                              • Instruction ID: f31f1ce04d2051e6b9e8acf883bbbbaa5bd69f55a1c9941ff1c46623f1a3e60c
                                                                              • Opcode Fuzzy Hash: 9e286e5f9a377e3797ece88135c359dedbbb575cc14907a13f37508a60b21901
                                                                              • Instruction Fuzzy Hash: AD219FB0840715AADB04EFA6DE09A6E7BB8EB04704F10413FF502B72E2DB388510CB59
                                                                              Function 0040223D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 889 40223d-40b514 GetLastError LoadLibraryExA
                                                                              APIs
                                                                              • GetLastError.KERNEL32 ref: 0040223D
                                                                              • LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 0040B500
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastLibraryLoad
                                                                              • String ID: 2
                                                                              • API String ID: 3568775529-4175869482
                                                                              • Opcode ID: 46a972f82e300271c5c0ad26d8b6c0500f2c65ead2251e592649c3a81edbb788
                                                                              • Instruction ID: 202b3bf2a9678272b0942fded1eb44736d11c3c9fef4d2a9126dfe260b1d5e4f
                                                                              • Opcode Fuzzy Hash: 46a972f82e300271c5c0ad26d8b6c0500f2c65ead2251e592649c3a81edbb788
                                                                              • Instruction Fuzzy Hash: 56D0A931E40208EFEB50AF208D8A7483AA0FB08300F610431BA03B8290C3B050408B5E
                                                                              Function 02CE1AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 904 2ce1aa9-2ce1ac3 InterlockedIncrement 905 2ce1add-2ce1ae0 904->905 906 2ce1ac5-2ce1ad7 WSAStartup InterlockedExchange 904->906 906->905
                                                                              APIs
                                                                              • InterlockedIncrement.KERNEL32(02D1727C), ref: 02CE1ABA
                                                                              • WSAStartup.WS2_32(00000002,00000000), ref: 02CE1ACB
                                                                              • InterlockedExchange.KERNEL32(02D17280,00000000), ref: 02CE1AD7
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$ExchangeIncrementStartup
                                                                              • String ID:
                                                                              • API String ID: 1856147945-0
                                                                              • Opcode ID: 154c7f9601ad61d78bfbdac582fc8f1026b0e971def2cca1378f0b5d823f1b9e
                                                                              • Instruction ID: 0b45b4a621dc13e71bf69af2f79403ffb99bd5b51a1fe23cad716ccedf66c154
                                                                              • Opcode Fuzzy Hash: 154c7f9601ad61d78bfbdac582fc8f1026b0e971def2cca1378f0b5d823f1b9e
                                                                              • Instruction Fuzzy Hash: 1DD05E31AD02046BF620A6A0BD4EF78F76CE705615F100751FC6AC56E4EB916E2485A7
                                                                              Function 00402225 Relevance: 4.5, APIs: 3, Instructions: 12registryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 907 402225-4022e2 RegSetValueExA RegCloseKey 909 4022e8-40ba5c SetEvent call 4022cb StartServiceCtrlDispatcherA 907->909 915 40ba5d 909->915 915->915
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: CloseEventValue
                                                                              • String ID:
                                                                              • API String ID: 3274066644-0
                                                                              • Opcode ID: 622d392b40578182c82d1c97e9e0572cec5adab44bc3c9c38859b9dc6ae99d88
                                                                              • Instruction ID: 5fb376b86e8a49f8134fd603d72217cd51757c679373552acc848ecac8247880
                                                                              • Opcode Fuzzy Hash: 622d392b40578182c82d1c97e9e0572cec5adab44bc3c9c38859b9dc6ae99d88
                                                                              • Instruction Fuzzy Hash: 67D09231448004EBCB016BE09E0D92D7E75BB05305B2504B9B203700A1C73914A1AB6E
                                                                              Function 02D2FEC1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 916 2d2fec1-2d66aff CreateFileA
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002D1A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D1A000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2d1a000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID: `io
                                                                              • API String ID: 823142352-3782016954
                                                                              • Opcode ID: 36cb0ad4e76b8abfd09da0b17d59327fe3114cef4ec580710ad768cbb33a9bfc
                                                                              • Instruction ID: 058c91682429c15695d945dcf7a27560ed44fa6381eeb030e2e255bc4a534a3f
                                                                              • Opcode Fuzzy Hash: 36cb0ad4e76b8abfd09da0b17d59327fe3114cef4ec580710ad768cbb33a9bfc
                                                                              • Instruction Fuzzy Hash: 49416AF150C604AFE719BF19EC8177AB7E5EF84310F06882DE6C487740EA39A8548B97
                                                                              Function 00402616 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 920 402616-402617 921 40b880-40b892 RegOpenKeyExA 920->921 922 402621-402625 920->922 923 40b898-40b89b 921->923 924 40221e-402220 921->924 924->922
                                                                              APIs
                                                                              • RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders), ref: 0040B88A
                                                                              Strings
                                                                              • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040B880
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: Open
                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                              • API String ID: 71445658-2036018995
                                                                              • Opcode ID: d42c8c2e09f0ade400b127a6f8a5a893b99a64b50af58aa63b6ce36b6dd82233
                                                                              • Instruction ID: 34acf4ffc5f27f61dd11ec1305511e0cacadf6b4b6d94de9565c5e33e50f063e
                                                                              • Opcode Fuzzy Hash: d42c8c2e09f0ade400b127a6f8a5a893b99a64b50af58aa63b6ce36b6dd82233
                                                                              • Instruction Fuzzy Hash: 4FD0A732348106DAD7008BE4AE4C7A977A8B74435AF318577D903F01C0E3F98049622E
                                                                              Function 004022BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegCreateKeyExA.KERNELBASE(80000002,Software\SmallTour), ref: 0040B908
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID: Software\SmallTour
                                                                              • API String ID: 2289755597-3113880327
                                                                              • Opcode ID: e92014f5741c40466362d97be325f14a575943e2691ca884df845f09a2c42994
                                                                              • Instruction ID: b121c522d648ce6c13185118dedb7333930437af0ce722c4cbd77dbabdbc5d41
                                                                              • Opcode Fuzzy Hash: e92014f5741c40466362d97be325f14a575943e2691ca884df845f09a2c42994
                                                                              • Instruction Fuzzy Hash: 3FC048A029C14AEDE1600A219E9AF37208CDA04748B30003B3B1BB00D083785A22A0AF
                                                                              Function 004039F0 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402DBF,00000000), ref: 00403A01
                                                                                • Part of subcall function 004038A8: GetVersionExA.KERNEL32 ref: 004038C7
                                                                              • HeapDestroy.KERNEL32 ref: 00403A40
                                                                                • Part of subcall function 00403DC7: HeapAlloc.KERNEL32(00000000,00000140,00403A29,000003F8), ref: 00403DD4
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$AllocCreateDestroyVersion
                                                                              • String ID:
                                                                              • API String ID: 2507506473-0
                                                                              • Opcode ID: 08f14aee262382775140a5fb38b16d88e88289f6ea168ffb6a246c9e47cbf934
                                                                              • Instruction ID: 5dadef9d12e489db140da5c14b34350ea54a5b880f3286d9e4ff1a1591b79aa3
                                                                              • Opcode Fuzzy Hash: 08f14aee262382775140a5fb38b16d88e88289f6ea168ffb6a246c9e47cbf934
                                                                              • Instruction Fuzzy Hash: 04F065707553016ADB24EF705E4676B3DD8AB80B53F10443BF541F41E0EB7C8690991A
                                                                              Function 02D386D0 Relevance: 1.6, APIs: 1, Instructions: 122fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002D1A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D1A000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2d1a000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: FileRead
                                                                              • String ID:
                                                                              • API String ID: 2738559852-0
                                                                              • Opcode ID: d09f324fefab837f193d671a4e8671875105c403d2504b26e0d898ed814965dc
                                                                              • Instruction ID: 8c680db9f8ae5e13e4a94dc94da53273d2f8a4b11ff06c7e195b8cc5c49409c2
                                                                              • Opcode Fuzzy Hash: d09f324fefab837f193d671a4e8671875105c403d2504b26e0d898ed814965dc
                                                                              • Instruction Fuzzy Hash: 8B416FB250C610AFE7156E19DC85BBABBE9EF98720F06492DEBC883740D63558408BD7
                                                                              Function 02D1FA26 Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002D1A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D1A000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2d1a000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: DeleteFile
                                                                              • String ID:
                                                                              • API String ID: 4033686569-0
                                                                              • Opcode ID: f3ef28c9098564d07ae337382e149d342a29a769a9454d9c368cd47cc928549e
                                                                              • Instruction ID: e46d59107fc29bbb69dae4c02e67ef1d856a9f29ffdfac6a97851929448a95d5
                                                                              • Opcode Fuzzy Hash: f3ef28c9098564d07ae337382e149d342a29a769a9454d9c368cd47cc928549e
                                                                              • Instruction Fuzzy Hash: BF2165F260C600AFE305AF19ED417BEFBE9EF94720F16892EE2C5C2710D67448408A97
                                                                              Function 02D471E7 Relevance: 1.6, APIs: 1, Instructions: 66fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WriteFile.KERNELBASE(79E8203A), ref: 02D57B95
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002D1A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D1A000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2d1a000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: cd0febcd1071aa5bc93e48686e89cff253e61651240fae521e0fcdaf2b58b3ef
                                                                              • Instruction ID: 0f60cba13552a89e297b951f9900a6a2ea6f70a387ae1b01c00c8e82eacf3381
                                                                              • Opcode Fuzzy Hash: cd0febcd1071aa5bc93e48686e89cff253e61651240fae521e0fcdaf2b58b3ef
                                                                              • Instruction Fuzzy Hash: A11103B250CA149BE3157F09D88577AFBE4EF54720F02492DDBC847B40EA35A8548A97
                                                                              Function 02D431AF Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WriteFile.KERNELBASE(168B68CD), ref: 02D4D270
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002D1A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D1A000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2d1a000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: 8f7163427943724ba8510b2c343b7d9618ca2d72e9f3b07da64dbb5655805525
                                                                              • Instruction ID: 98a221293234db6acc4b5ab41b1fa44004105f5bf43506f9895285fc7c36972b
                                                                              • Opcode Fuzzy Hash: 8f7163427943724ba8510b2c343b7d9618ca2d72e9f3b07da64dbb5655805525
                                                                              • Instruction Fuzzy Hash: EDD01CF008CA088BD3147F48DC84778FBF4AF00300F12481CC2D186310EA308888CB86
                                                                              Function 004026A6 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: ManagerOpen
                                                                              • String ID:
                                                                              • API String ID: 1889721586-0
                                                                              • Opcode ID: a14b483666c5fc9b8ff22ac58c0ab17ceceb2191c36a5213c526b5f02116a518
                                                                              • Instruction ID: 232d1456c01f78a6ba59260e61f8e62572dc572c9d60a38e8b06950da2094227
                                                                              • Opcode Fuzzy Hash: a14b483666c5fc9b8ff22ac58c0ab17ceceb2191c36a5213c526b5f02116a518
                                                                              • Instruction Fuzzy Hash: A2C08CA004C10AEEC2104E001BDC43A30AD91883083348837E603F2AE0C3BC0D03B87F
                                                                              Function 0040B181 Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: CopyFile
                                                                              • String ID:
                                                                              • API String ID: 1304948518-0
                                                                              • Opcode ID: a97fd838a653de36010c31a52f7293aa102a31b9ebbdc3e1072805a91a9b159b
                                                                              • Instruction ID: c522f2358f225cf1c4a15b48037f0488db4b7f5a95cfe0defdb7541790945284
                                                                              • Opcode Fuzzy Hash: a97fd838a653de36010c31a52f7293aa102a31b9ebbdc3e1072805a91a9b159b
                                                                              • Instruction Fuzzy Hash: C2B0922028C206D6D1004A141B4DB362219C704741B380477292BB10D2CBBC4042319F
                                                                              Function 0040B3FF Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegQueryValueExA.KERNELBASE ref: 0040B51B
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue
                                                                              • String ID:
                                                                              • API String ID: 3660427363-0
                                                                              • Opcode ID: acf80bdad13ab1dcba0d3f112fef4d2f5fd76cef4d8293611f25947eef744e06
                                                                              • Instruction ID: e76b455b11ff224b55ac1dbe3b1499c0013a56c932f19d711532b2ebfa22ccaa
                                                                              • Opcode Fuzzy Hash: acf80bdad13ab1dcba0d3f112fef4d2f5fd76cef4d8293611f25947eef744e06
                                                                              • Instruction Fuzzy Hash: 51C02B3048D30086EB22CFB088041983A207890B047110CBE8003720C1C7744042A7CF
                                                                              Function 0040B12B Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateDirectoryA.KERNELBASE ref: 0040B12B
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectory
                                                                              • String ID:
                                                                              • API String ID: 4241100979-0
                                                                              • Opcode ID: d86483f5c49182509ab129724d0fd15c8a56cfe47f65ff0aeaee7a482973cdab
                                                                              • Instruction ID: 05cdfdb419a29a078e1a5807cc2fddba59cfecf06acba27636b602faa0e0be10
                                                                              • Opcode Fuzzy Hash: d86483f5c49182509ab129724d0fd15c8a56cfe47f65ff0aeaee7a482973cdab
                                                                              • Instruction Fuzzy Hash: CEA022302CE028E3C000BB000E08E2A2E28E028302330C0333303B00C003BF20232BEF
                                                                              Function 00402794 Relevance: 1.5, APIs: 1, Instructions: 5registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegCloseKey.KERNELBASE(?), ref: 0040B84F
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID:
                                                                              • API String ID: 3535843008-0
                                                                              • Opcode ID: 54325de0c48bbed9867d0bfd2c8db3161bfbf60f7de79c28628eb2dfc7211496
                                                                              • Instruction ID: c47c1c762f42aee7be3bd5e3f96ee2e5193ba5f5b854ad9103954dc17480d21c
                                                                              • Opcode Fuzzy Hash: 54325de0c48bbed9867d0bfd2c8db3161bfbf60f7de79c28628eb2dfc7211496
                                                                              • Instruction Fuzzy Hash: 18B01231C58040D6C6001B808A05C1A3E70EA143003218073E313300E0833A60126A4F
                                                                              Function 00402142 Relevance: 1.3, APIs: 1, Instructions: 35sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNELBASE(000003E8), ref: 0040B684
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: 579288e05d382d61efe3944d19b0733f96d4007ad5b87395da2ebddb59ab9ab5
                                                                              • Instruction ID: 6fade1d1ec90957231e49091bfb28855a4070128dd8e91ec00eaee17107283e7
                                                                              • Opcode Fuzzy Hash: 579288e05d382d61efe3944d19b0733f96d4007ad5b87395da2ebddb59ab9ab5
                                                                              • Instruction Fuzzy Hash: 28F0B471A00606AFD704DFA8D980AAA73A8FB04314F210126F616E71D0D739D94696AE
                                                                              Function 0040B13B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAlloc.KERNELBASE(00000000), ref: 0040BA29
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 8249ae698149d75f9e9d9fe1eea590c3b390e3fa07a05e8c3bd25844569859fa
                                                                              • Instruction ID: 875afba7be18bc28836bb96a55021a3113a20f3fe73b7cd2d283758a3c34a07d
                                                                              • Opcode Fuzzy Hash: 8249ae698149d75f9e9d9fe1eea590c3b390e3fa07a05e8c3bd25844569859fa
                                                                              • Instruction Fuzzy Hash: DDB01231644101EBC20007A04D047603650F708744F250932A903B12D0C338046AEAEF
                                                                              Function 0040B5EC Relevance: 1.3, APIs: 1, Instructions: 5sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: f7b812978dd37915f31f8d7cc53c3a2cc7c1bee03418cd357c99bd42725f773e
                                                                              • Instruction ID: 49aa039f61561db0fc539dd536d612c9ed795406b6cbcd0371f8ad56698f4af9
                                                                              • Opcode Fuzzy Hash: f7b812978dd37915f31f8d7cc53c3a2cc7c1bee03418cd357c99bd42725f773e
                                                                              • Instruction Fuzzy Hash: 33B01230948500D7C20047606D04B203930F300300F100132A20B301E1C73614527B4F
                                                                              Function 0040B389 Relevance: 1.3, APIs: 1, Instructions: 3stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: lstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 1586166983-0
                                                                              • Opcode ID: d54b458d61a78df8872dc2bc0560f73c7a258f6717f6a9e085e1daf93bcced45
                                                                              • Instruction ID: a52736f1970860127354a3e5bc4c9e1c7fb76f912a72f56bd436bf7b8e465569
                                                                              • Opcode Fuzzy Hash: d54b458d61a78df8872dc2bc0560f73c7a258f6717f6a9e085e1daf93bcced45
                                                                              • Instruction Fuzzy Hash: B0900260685101EAE2208B72590C3192555A55864171148795803E0251D7398011556D

                                                                              Non-executed Functions

                                                                              Function 00402524 Relevance: 4.5, APIs: 3, Instructions: 32serviceCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateServiceA.ADVAPI32 ref: 004025C0
                                                                              • CloseServiceHandle.ADVAPI32(?), ref: 0040B142
                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 0040BA6F
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: Service$CloseHandle$Create
                                                                              • String ID:
                                                                              • API String ID: 2095555506-0
                                                                              • Opcode ID: e858b8e07da31aaea066bf320dab7e10ba7e73c670a0c99565c3beb8301389e5
                                                                              • Instruction ID: 2c57a793267860c8416b62d0af7600b6947d569aa6da246257328b76db486df6
                                                                              • Opcode Fuzzy Hash: e858b8e07da31aaea066bf320dab7e10ba7e73c670a0c99565c3beb8301389e5
                                                                              • Instruction Fuzzy Hash: C3F0EC70484141EBD7218FA4CE8899A3F71EA1235172100A2E9427A1D1C73A9F43FF9E
                                                                              Function 02CF08B8 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02CF08E2
                                                                              • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02CF08EA
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorFormatLastMessage
                                                                              • String ID:
                                                                              • API String ID: 3479602957-0
                                                                              • Opcode ID: dd03867116efb9cd43d4c093e92a77269bfb8257ad90c17feacd3712422c3611
                                                                              • Instruction ID: c4c62a51414ab60926f79cb4230e379076a262d388daa7090a2db4e44ce9fad4
                                                                              • Opcode Fuzzy Hash: dd03867116efb9cd43d4c093e92a77269bfb8257ad90c17feacd3712422c3611
                                                                              • Instruction Fuzzy Hash: 9AF03030208341DFEB64CE25C851B2EB7E4ABDDB54F50492CFA9592192E770D245CB56
                                                                              Function 02CF9468 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02CF4DD6,?,?,?,00000001), ref: 02CF946D
                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02CF9476
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: a5e7f710bafd7c073c7240c03dc2c23f9f5be2accb86172c8f7f7caa4deadc8b
                                                                              • Instruction ID: ae86c17069f2a65df9808fa51bd7d8a95892ae846ed1cfe1ca85d930098037a3
                                                                              • Opcode Fuzzy Hash: a5e7f710bafd7c073c7240c03dc2c23f9f5be2accb86172c8f7f7caa4deadc8b
                                                                              • Instruction Fuzzy Hash: 47B09231484208EBEB012B91EC49F89BF38EB04662F104A10F60D492688B6268609AA1
                                                                              Function 02CEF78E Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _memset
                                                                              • String ID:
                                                                              • API String ID: 2102423945-0
                                                                              • Opcode ID: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                              • Instruction ID: 621b14f7b65395b9e01e9050d72f64244fb3daa3d7e01dff4df748340f6b6886
                                                                              • Opcode Fuzzy Hash: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                              • Instruction Fuzzy Hash: 06F082B1904309ABD714DF95D942B9DFBB9EB84310F208169D608A7340F6717A119B94
                                                                              Function 004021F7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040BA56
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: CtrlDispatcherServiceStart
                                                                              • String ID:
                                                                              • API String ID: 3789849863-0
                                                                              • Opcode ID: cd3fc729cc565af5f9e19fa13f89f3738964cccb76ec011b9c8ebaf89f6a96f8
                                                                              • Instruction ID: ff38cc132043d6f24fa157630e334457b3b30a3b0b276be37ad55199a0acdf12
                                                                              • Opcode Fuzzy Hash: cd3fc729cc565af5f9e19fa13f89f3738964cccb76ec011b9c8ebaf89f6a96f8
                                                                              • Instruction Fuzzy Hash: 1EE04F6080D281FFDB11D76049949B97B74EB1A351B2554E7D043B66D2C37C0E07EBAE
                                                                              Function 0040B218 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040BA56
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: CtrlDispatcherServiceStart
                                                                              • String ID:
                                                                              • API String ID: 3789849863-0
                                                                              • Opcode ID: 542f690ebdc7cf5ea0e643997ca8341dd1f2790eaeb0af7154466a56b3dce7f6
                                                                              • Instruction ID: 8ee052c53226da038e4bd59659a46a9804a398483d7e4a99f38ce6736202652f
                                                                              • Opcode Fuzzy Hash: 542f690ebdc7cf5ea0e643997ca8341dd1f2790eaeb0af7154466a56b3dce7f6
                                                                              • Instruction Fuzzy Hash: 33E08C719086428FD701876088AD6A8BBA4EE0636131645A28843A6592D7388A4B9B9E
                                                                              Function 02CE1CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105synchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02CE1D11
                                                                              • GetLastError.KERNEL32 ref: 02CE1D23
                                                                                • Part of subcall function 02CE1712: __EH_prolog.LIBCMT ref: 02CE1717
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02CE1D59
                                                                              • GetLastError.KERNEL32 ref: 02CE1D6B
                                                                              • __beginthreadex.LIBCMT ref: 02CE1DB1
                                                                              • GetLastError.KERNEL32 ref: 02CE1DC6
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CE1DDD
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CE1DEC
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02CE1E14
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CE1E1B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                              • String ID: thread$thread.entry_event$thread.exit_event
                                                                              • API String ID: 831262434-3017686385
                                                                              • Opcode ID: 65fff1abd99625c1dbbe159a36312396824537a9e1246e6d7892f7a0094e3145
                                                                              • Instruction ID: c3be7c6b73199b6d23692e19b4c748bc4ac6fa2c4d8e9adba2117e6a49a1bc35
                                                                              • Opcode Fuzzy Hash: 65fff1abd99625c1dbbe159a36312396824537a9e1246e6d7892f7a0094e3145
                                                                              • Instruction Fuzzy Hash: 5E318271A003019FDB00EF24C888B2BBBA5FB84754F144A5DF95A8B395DB709D55CF92
                                                                              Function 02CE24E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE24E6
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02CE24FC
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02CE250E
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02CE256D
                                                                              • SetLastError.KERNEL32(00000000,?,7622DFB0), ref: 02CE257F
                                                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,7622DFB0), ref: 02CE2599
                                                                              • GetLastError.KERNEL32(?,7622DFB0), ref: 02CE25A2
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02CE25F0
                                                                              • InterlockedDecrement.KERNEL32(00000002), ref: 02CE262F
                                                                              • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02CE268E
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CE2699
                                                                              • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02CE26AD
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,7622DFB0), ref: 02CE26BD
                                                                              • GetLastError.KERNEL32(?,7622DFB0), ref: 02CE26C7
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                              • String ID:
                                                                              • API String ID: 1213838671-0
                                                                              • Opcode ID: a480eedeea7bb75f19f6b8131b89319b6e011c84d253795a4adad801f7c3d8f2
                                                                              • Instruction ID: 4c56d0ecaf6aff8e1dd1ce4068e6db86741e4d590ec2005c7404becb14ea6f1f
                                                                              • Opcode Fuzzy Hash: a480eedeea7bb75f19f6b8131b89319b6e011c84d253795a4adad801f7c3d8f2
                                                                              • Instruction Fuzzy Hash: 38611CB1900209AFDB11DFA4D984FAEBBBDFF48314F10462AE956E7250D730AA14CF61
                                                                              Function 02CE4603 Relevance: 19.9, APIs: 13, Instructions: 442networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE4608
                                                                                • Part of subcall function 02CF3A8F: _malloc.LIBCMT ref: 02CF3AA7
                                                                              • htons.WS2_32(?), ref: 02CE4669
                                                                              • htonl.WS2_32(?), ref: 02CE468C
                                                                              • htonl.WS2_32(00000000), ref: 02CE4693
                                                                              • htons.WS2_32(00000000), ref: 02CE4747
                                                                              • _sprintf.LIBCMT ref: 02CE475D
                                                                                • Part of subcall function 02CE88BF: _memmove.LIBCMT ref: 02CE88DF
                                                                              • htons.WS2_32(?), ref: 02CE46B0
                                                                                • Part of subcall function 02CE966A: __EH_prolog.LIBCMT ref: 02CE966F
                                                                                • Part of subcall function 02CE966A: RtlEnterCriticalSection.NTDLL(00000020), ref: 02CE96EA
                                                                                • Part of subcall function 02CE966A: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02CE9708
                                                                                • Part of subcall function 02CE1BA7: __EH_prolog.LIBCMT ref: 02CE1BAC
                                                                                • Part of subcall function 02CE1BA7: RtlEnterCriticalSection.NTDLL ref: 02CE1BBC
                                                                                • Part of subcall function 02CE1BA7: RtlLeaveCriticalSection.NTDLL ref: 02CE1BEA
                                                                                • Part of subcall function 02CE1BA7: RtlEnterCriticalSection.NTDLL ref: 02CE1C13
                                                                                • Part of subcall function 02CE1BA7: RtlLeaveCriticalSection.NTDLL ref: 02CE1C56
                                                                                • Part of subcall function 02CEDE26: __EH_prolog.LIBCMT ref: 02CEDE2B
                                                                              • htonl.WS2_32(?), ref: 02CE497C
                                                                              • htonl.WS2_32(00000000), ref: 02CE4983
                                                                              • htonl.WS2_32(00000000), ref: 02CE49C8
                                                                              • htonl.WS2_32(00000000), ref: 02CE49CF
                                                                              • htons.WS2_32(?), ref: 02CE49EF
                                                                              • htons.WS2_32(?), ref: 02CE49F9
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                              • String ID:
                                                                              • API String ID: 1645262487-0
                                                                              • Opcode ID: a408992b64f7539aa0a2cd4ffcadb7e0de904e5278fd00f9f61f2f346fc45142
                                                                              • Instruction ID: 03583f38cfe1753c37eca4bc679b3c7cfa02c651cf4ec5bde3bbe1d7607ab0a9
                                                                              • Opcode Fuzzy Hash: a408992b64f7539aa0a2cd4ffcadb7e0de904e5278fd00f9f61f2f346fc45142
                                                                              • Instruction Fuzzy Hash: B7024871D00259EFEF25DBA4D844BEEBBB9BF08304F10415AE506B7290DB746A48DFA1
                                                                              Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegisterServiceCtrlHandlerA.ADVAPI32(ET Ammeter Side 10.7.46,Function_0000235E), ref: 004023C1
                                                                              • SetServiceStatus.ADVAPI32(0040A0E0), ref: 00402420
                                                                              • GetLastError.KERNEL32 ref: 00402422
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                              • GetLastError.KERNEL32 ref: 00402450
                                                                              • SetServiceStatus.ADVAPI32(0040A0E0), ref: 00402480
                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                              • CloseHandle.KERNEL32 ref: 004024A1
                                                                              • SetServiceStatus.ADVAPI32(0040A0E0), ref: 004024CA
                                                                              Strings
                                                                              • ET Ammeter Side 10.7.46, xrefs: 004023BC
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                              • String ID: ET Ammeter Side 10.7.46
                                                                              • API String ID: 3346042915-298150824
                                                                              • Opcode ID: 753c8bccf627cb5353d4a294398c8736193124083ae435b11ee25f47cab8285e
                                                                              • Instruction ID: 1420ef795783f2c616889eaeaacfbb85f42c25b2a6fdf7f0143c9c805b11b94c
                                                                              • Opcode Fuzzy Hash: 753c8bccf627cb5353d4a294398c8736193124083ae435b11ee25f47cab8285e
                                                                              • Instruction Fuzzy Hash: D4210C70441309EBD210DF16EF49E567FB8EB85754711C03BE206B22B0D7BA0064EB6E
                                                                              Function 02CF8272 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlDecodePointer.NTDLL(?), ref: 02CF827A
                                                                              • _free.LIBCMT ref: 02CF8293
                                                                                • Part of subcall function 02CF2EB4: HeapFree.KERNEL32(00000000,00000000,?,02CF5C12,00000000,00000104,76230A60), ref: 02CF2EC8
                                                                                • Part of subcall function 02CF2EB4: GetLastError.KERNEL32(00000000,?,02CF5C12,00000000,00000104,76230A60), ref: 02CF2EDA
                                                                              • _free.LIBCMT ref: 02CF82A6
                                                                              • _free.LIBCMT ref: 02CF82C4
                                                                              • _free.LIBCMT ref: 02CF82D6
                                                                              • _free.LIBCMT ref: 02CF82E7
                                                                              • _free.LIBCMT ref: 02CF82F2
                                                                              • _free.LIBCMT ref: 02CF8316
                                                                              • RtlEncodePointer.NTDLL(0089CE50), ref: 02CF831D
                                                                              • _free.LIBCMT ref: 02CF8332
                                                                              • _free.LIBCMT ref: 02CF8348
                                                                              • _free.LIBCMT ref: 02CF8370
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                              • String ID:
                                                                              • API String ID: 3064303923-0
                                                                              • Opcode ID: 59c772818cd9fd42a5ec2d29afdd63faa68932399150cd7087e1328131756244
                                                                              • Instruction ID: 325eba7c81dc84032fbc35a33b4787a24fe8e27dcbcd62ad420cfac7a4818a61
                                                                              • Opcode Fuzzy Hash: 59c772818cd9fd42a5ec2d29afdd63faa68932399150cd7087e1328131756244
                                                                              • Instruction Fuzzy Hash: 2121E232C81250EFDBE5AF14F84051A7769BB4472133A0A2AEE0497790DB34ED6ADFD1
                                                                              Function 02CE4D86 Relevance: 16.8, APIs: 11, Instructions: 256COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE4D8B
                                                                              • RtlEnterCriticalSection.NTDLL(02D171B8), ref: 02CE4DB7
                                                                              • RtlLeaveCriticalSection.NTDLL(02D171B8), ref: 02CE4DC3
                                                                                • Part of subcall function 02CE4BED: __EH_prolog.LIBCMT ref: 02CE4BF2
                                                                                • Part of subcall function 02CE4BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02CE4CF2
                                                                              • RtlEnterCriticalSection.NTDLL(02D171B8), ref: 02CE4E93
                                                                              • RtlLeaveCriticalSection.NTDLL(02D171B8), ref: 02CE4E99
                                                                              • RtlEnterCriticalSection.NTDLL(02D171B8), ref: 02CE4EA0
                                                                              • RtlLeaveCriticalSection.NTDLL(02D171B8), ref: 02CE4EA6
                                                                              • RtlEnterCriticalSection.NTDLL(02D171B8), ref: 02CE50A7
                                                                              • RtlLeaveCriticalSection.NTDLL(02D171B8), ref: 02CE50AD
                                                                              • RtlEnterCriticalSection.NTDLL(02D171B8), ref: 02CE50B8
                                                                              • RtlLeaveCriticalSection.NTDLL(02D171B8), ref: 02CE50C1
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                              • String ID:
                                                                              • API String ID: 2062355503-0
                                                                              • Opcode ID: 8841776ee373dbc209a58155d56d2ddf59b6a64a4190bfedf2bcbab56a93435f
                                                                              • Instruction ID: 07e95336e8169da445cce788b66d9ad5a5c280d3a2376b01493115bae194468b
                                                                              • Opcode Fuzzy Hash: 8841776ee373dbc209a58155d56d2ddf59b6a64a4190bfedf2bcbab56a93435f
                                                                              • Instruction Fuzzy Hash: 0BB16A31D0425DDFEF25DF90C840BEEBBB5AF44314F14409AE806AB290DBB45A49CFA2
                                                                              Function 0040359E Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 004035B9
                                                                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 004035CD
                                                                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 004035F9
                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402DE4), ref: 00403631
                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402DE4), ref: 00403653
                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402DE4), ref: 0040366C
                                                                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 0040367F
                                                                              • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004036BD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                              • String ID: -@
                                                                              • API String ID: 1823725401-2999422947
                                                                              • Opcode ID: d09c44be7b725e9416f1bbabc7ff939c5033ef1a694eb4ed66286c613d9d8241
                                                                              • Instruction ID: a052efc5f8264b04540ba139265ff63877c4dc4e75c0ae38b6650f7b3518fcca
                                                                              • Opcode Fuzzy Hash: d09c44be7b725e9416f1bbabc7ff939c5033ef1a694eb4ed66286c613d9d8241
                                                                              • Instruction Fuzzy Hash: 7A31F0B24042217EDB303F785C8883B7E9CE64574A7120D3BF542E3390E67A8E814AAD
                                                                              Function 02CE3423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE3428
                                                                              • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02CE346B
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02CE3472
                                                                              • GetLastError.KERNEL32 ref: 02CE3486
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02CE34D7
                                                                              • RtlEnterCriticalSection.NTDLL(00000018), ref: 02CE34ED
                                                                              • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02CE3518
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                              • String ID: CancelIoEx$KERNEL32
                                                                              • API String ID: 2902213904-434325024
                                                                              • Opcode ID: 347f12bc2d73dbc057622664034c1cbadf0b032f9fde0a75ed67a0742b31834a
                                                                              • Instruction ID: c7b2c75fbb79e94def4a547ea5a5e6caaff9c17e2f391819e681f050f0fe4b25
                                                                              • Opcode Fuzzy Hash: 347f12bc2d73dbc057622664034c1cbadf0b032f9fde0a75ed67a0742b31834a
                                                                              • Instruction Fuzzy Hash: 61316DB5900345DFEB019F64C884BBABBF9FF88310F108599E91A9B355D770A911CFA1
                                                                              Function 00405408 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 50libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00403D7D,?,Microsoft Visual C++ Runtime Library,00012010,?,00406528,?,00406578,?,?,?,Runtime Error!Program: ), ref: 0040541A
                                                                              • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00405432
                                                                              • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00405443
                                                                              • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00405450
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoad
                                                                              • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll$xe@
                                                                              • API String ID: 2238633743-4073082454
                                                                              • Opcode ID: c1c5459b902c6d691e26e6f6b3d5bc075fbf46770f4929c54e66e674ea662e67
                                                                              • Instruction ID: 002c49bf34bfddc632f277928187d9a53126bd14f393e8a72b926efab3457658
                                                                              • Opcode Fuzzy Hash: c1c5459b902c6d691e26e6f6b3d5bc075fbf46770f4929c54e66e674ea662e67
                                                                              • Instruction Fuzzy Hash: E1018431740705AFC7109FB4AD80E6B7AE9FB48791309843BB955F22A1D778C860CF69
                                                                              Function 00403C59 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00403CC6
                                                                              • GetStdHandle.KERNEL32(000000F4,00406528,00000000,?,00000000,00000000), ref: 00403D9C
                                                                              • WriteFile.KERNEL32(00000000), ref: 00403DA3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: File$HandleModuleNameWrite
                                                                              • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $r@
                                                                              • API String ID: 3784150691-1191147370
                                                                              • Opcode ID: d598713df4d839de7fd74915155ccdeaa4efa499b3dc35e679589c6eb5dc5418
                                                                              • Instruction ID: 901e413bd7d296cb1b0b97d790854a8d5494ec17f79a926850544caa0371b074
                                                                              • Opcode Fuzzy Hash: d598713df4d839de7fd74915155ccdeaa4efa499b3dc35e679589c6eb5dc5418
                                                                              • Instruction Fuzzy Hash: F831C772A04208AEEF20EF60DE49F9A776CEF45304F1004BBF545F61C1D6B8AA858A59
                                                                              Function 004058D5 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LCMapStringW.KERNEL32(00000000,00000100,004065F4,00000001,00000000,00000000,00000103,00000001,00000000,?,004051A5,00200020,00000000,?,00000000,00000000), ref: 00405917
                                                                              • LCMapStringA.KERNEL32(00000000,00000100,004065F0,00000001,00000000,00000000,?,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405933
                                                                              • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,004051A5,?,00000103,00000001,00000000,?,004051A5,00200020,00000000,?,00000000,00000000), ref: 0040597C
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,004051A5,00200020,00000000,?,00000000,00000000), ref: 004059B4
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,004051A5,00200020,00000000,?,00000000), ref: 00405A0C
                                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,004051A5,00200020,00000000,?,00000000), ref: 00405A22
                                                                              • LCMapStringW.KERNEL32(00000000,?,004051A5,00000000,004051A5,?,?,004051A5,00200020,00000000,?,00000000), ref: 00405A55
                                                                              • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,004051A5,00200020,00000000,?,00000000), ref: 00405ABD
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: String$ByteCharMultiWide
                                                                              • String ID:
                                                                              • API String ID: 352835431-0
                                                                              • Opcode ID: 6e7e0904aad4ffb7df7fa70090622cd283316a6a4d1fe7c3c07164d91eefa06b
                                                                              • Instruction ID: ad677ee5f46337090c489763c5b1535e0d4a7e7cc2f37d679e5ddd81b555dfe6
                                                                              • Opcode Fuzzy Hash: 6e7e0904aad4ffb7df7fa70090622cd283316a6a4d1fe7c3c07164d91eefa06b
                                                                              • Instruction Fuzzy Hash: 8B516C71A00609EFCF218FA5DD85A9F7FB5FB48750F14422AF911B21A0D3398921DF69
                                                                              Function 02CF1550 Relevance: 10.6, APIs: 7, Instructions: 132COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OpenEventA.KERNEL32(00100002,00000000,00000000,7378BE13), ref: 02CF15F0
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CF1605
                                                                              • ResetEvent.KERNEL32(00000000,7378BE13), ref: 02CF160F
                                                                              • CloseHandle.KERNEL32(00000000,7378BE13), ref: 02CF1644
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7378BE13), ref: 02CF16BA
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CF16CF
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseEventHandle$CreateOpenReset
                                                                              • String ID:
                                                                              • API String ID: 1285874450-0
                                                                              • Opcode ID: 100e27c8676d9d990487297b704b0613b9f093d19270515057cfcb41a7d4ba44
                                                                              • Instruction ID: 734fa9e2cfa6fe179c984796ac941234fc3827a182bcfd0e74fe4bbe3c996f61
                                                                              • Opcode Fuzzy Hash: 100e27c8676d9d990487297b704b0613b9f093d19270515057cfcb41a7d4ba44
                                                                              • Instruction Fuzzy Hash: 89412E70D04358EFDFA0CFA5C884BADBBB8EB45724F184219E519AB380D7719A05CB91
                                                                              Function 02CE2081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02CE20AC
                                                                              • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02CE20CD
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CE20D8
                                                                              • InterlockedDecrement.KERNEL32(?), ref: 02CE213E
                                                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02CE217A
                                                                              • InterlockedDecrement.KERNEL32(?), ref: 02CE2187
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CE21A6
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                              • String ID:
                                                                              • API String ID: 1171374749-0
                                                                              • Opcode ID: 2556e172be20fb86a1624505ac40d55de7d36bf95d6d5549da9136365356d035
                                                                              • Instruction ID: 029a5b38bd7799f2c0086b5330792cf77bd3469eaa692d93511bb36c9210c1d3
                                                                              • Opcode Fuzzy Hash: 2556e172be20fb86a1624505ac40d55de7d36bf95d6d5549da9136365356d035
                                                                              • Instruction Fuzzy Hash: F74138715047019FD721DF25D884A6BBBF9FFC8654F104A1EF89A82250D730EA09DFA2
                                                                              Function 02CF1662 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02CF1E10: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02CF166E,?,?), ref: 02CF1E3F
                                                                                • Part of subcall function 02CF1E10: CloseHandle.KERNEL32(00000000,?,?,02CF166E,?,?), ref: 02CF1E54
                                                                                • Part of subcall function 02CF1E10: SetEvent.KERNEL32(00000000,02CF166E,?,?), ref: 02CF1E67
                                                                              • OpenEventA.KERNEL32(00100002,00000000,00000000,7378BE13), ref: 02CF15F0
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CF1605
                                                                              • ResetEvent.KERNEL32(00000000,7378BE13), ref: 02CF160F
                                                                              • CloseHandle.KERNEL32(00000000,7378BE13), ref: 02CF1644
                                                                              • __CxxThrowException@8.LIBCMT ref: 02CF1675
                                                                                • Part of subcall function 02CF449A: RaiseException.KERNEL32(?,?,02CEFA92,?,?,?,?,?,?,?,02CEFA92,?,02D10F78,?), ref: 02CF44EF
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7378BE13), ref: 02CF16BA
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CF16CF
                                                                                • Part of subcall function 02CF1B50: GetCurrentProcessId.KERNEL32(?), ref: 02CF1BA9
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,7378BE13), ref: 02CF16DF
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                              • String ID:
                                                                              • API String ID: 2227236058-0
                                                                              • Opcode ID: 66dd10e12591f4678b9e59d729e5820ece772cbe305cd9adb4658a41804821ec
                                                                              • Instruction ID: 038c92c45e36bae5ccbd298b99d968397914c1b1562546b911a3600c580b3c38
                                                                              • Opcode Fuzzy Hash: 66dd10e12591f4678b9e59d729e5820ece772cbe305cd9adb4658a41804821ec
                                                                              • Instruction Fuzzy Hash: 46317E71D00348DBDFA0CBA4CC85BADB7B9EF45325F1C0119EA1DEB280E7B19A058B51
                                                                              Function 00404618 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 102memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403A36), ref: 00404639
                                                                              • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403A36), ref: 0040465D
                                                                              • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403A36), ref: 00404677
                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403A36), ref: 00404738
                                                                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403A36), ref: 0040474F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual$FreeHeap
                                                                              • String ID: r@$r@
                                                                              • API String ID: 714016831-1712950306
                                                                              • Opcode ID: 6146d640eca2786615fae02a601f05dd2cfcbd8d5d5bc8993479f9a7be96b628
                                                                              • Instruction ID: 6d2ae56a8b2e66d9b660bb9c1c671dd7469dd609f739855ae4ec176a3c74651c
                                                                              • Opcode Fuzzy Hash: 6146d640eca2786615fae02a601f05dd2cfcbd8d5d5bc8993479f9a7be96b628
                                                                              • Instruction Fuzzy Hash: 3531BEB0940702ABD3309F24DD44B66B7A4EB86755F11463BF265BB2D0E7B8A8418B4D
                                                                              Function 02CE26DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02CE2706
                                                                              • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02CE272B
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02D05A93), ref: 02CE2738
                                                                                • Part of subcall function 02CE1712: __EH_prolog.LIBCMT ref: 02CE1717
                                                                              • SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02CE2778
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02CE27D9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                              • String ID: timer
                                                                              • API String ID: 4293676635-1792073242
                                                                              • Opcode ID: 2f169c143d17b4b07277e079160c2a85bd86be060766aab04617171e20f587ac
                                                                              • Instruction ID: 441f8e10c3439cb07dc585af22033ede1bcb59e21998fadf9bd96d39fe9e4f8a
                                                                              • Opcode Fuzzy Hash: 2f169c143d17b4b07277e079160c2a85bd86be060766aab04617171e20f587ac
                                                                              • Instruction Fuzzy Hash: B831E0B1804742AFD710DF25C885B26BBE8FB48724F004A2EF85687680D770ED10CF92
                                                                              Function 02CF5CD4 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __init_pointers.LIBCMT ref: 02CF5CD4
                                                                                • Part of subcall function 02CF8442: RtlEncodePointer.NTDLL(00000000), ref: 02CF8445
                                                                                • Part of subcall function 02CF8442: __initp_misc_winsig.LIBCMT ref: 02CF8460
                                                                                • Part of subcall function 02CF8442: GetModuleHandleW.KERNEL32(kernel32.dll,?,02D11578,00000008,00000003,02D10F5C,?,00000001), ref: 02CF91C1
                                                                                • Part of subcall function 02CF8442: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02CF91D5
                                                                                • Part of subcall function 02CF8442: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02CF91E8
                                                                                • Part of subcall function 02CF8442: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02CF91FB
                                                                                • Part of subcall function 02CF8442: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02CF920E
                                                                                • Part of subcall function 02CF8442: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02CF9221
                                                                                • Part of subcall function 02CF8442: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02CF9234
                                                                                • Part of subcall function 02CF8442: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02CF9247
                                                                                • Part of subcall function 02CF8442: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02CF925A
                                                                                • Part of subcall function 02CF8442: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02CF926D
                                                                                • Part of subcall function 02CF8442: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02CF9280
                                                                                • Part of subcall function 02CF8442: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02CF9293
                                                                                • Part of subcall function 02CF8442: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02CF92A6
                                                                                • Part of subcall function 02CF8442: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02CF92B9
                                                                                • Part of subcall function 02CF8442: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02CF92CC
                                                                                • Part of subcall function 02CF8442: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02CF92DF
                                                                              • __mtinitlocks.LIBCMT ref: 02CF5CD9
                                                                              • __mtterm.LIBCMT ref: 02CF5CE2
                                                                                • Part of subcall function 02CF5D4A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02CF8878
                                                                                • Part of subcall function 02CF5D4A: _free.LIBCMT ref: 02CF887F
                                                                                • Part of subcall function 02CF5D4A: RtlDeleteCriticalSection.NTDLL(02D13978), ref: 02CF88A1
                                                                              • __calloc_crt.LIBCMT ref: 02CF5D07
                                                                              • __initptd.LIBCMT ref: 02CF5D29
                                                                              • GetCurrentThreadId.KERNEL32 ref: 02CF5D30
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                              • String ID:
                                                                              • API String ID: 3567560977-0
                                                                              • Opcode ID: 739877c10551d5f2c340564f0e035298a7793cc007949e45307c6e6876554950
                                                                              • Instruction ID: dfc2bc77708f4881f3a1fe3ddd56679f94aec1f1e7b22d895f848e6d593fdefa
                                                                              • Opcode Fuzzy Hash: 739877c10551d5f2c340564f0e035298a7793cc007949e45307c6e6876554950
                                                                              • Instruction Fuzzy Hash: E0F024335597111FF6E836B47D0A34A2786DF41BB0B700B29E751C90C0FF21CD426941
                                                                              Function 02CF3404 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 02CF341E
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02CF3425
                                                                              • RtlEncodePointer.NTDLL(00000000), ref: 02CF3431
                                                                              • RtlDecodePointer.NTDLL(00000001), ref: 02CF344E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                              • String ID: RoInitialize$combase.dll
                                                                              • API String ID: 3489934621-340411864
                                                                              • Opcode ID: 187fe8c67852fccc00f7755b322160c25f590791d2819c8e823e1a0951a355bf
                                                                              • Instruction ID: a681031f1320622da13038038643057138d732ef950c3795516150374034feb2
                                                                              • Opcode Fuzzy Hash: 187fe8c67852fccc00f7755b322160c25f590791d2819c8e823e1a0951a355bf
                                                                              • Instruction Fuzzy Hash: A2E03970DD0280BAFA601B31EC89B053B69B740B42F204864B102DA3E8C7B49D259A50
                                                                              Function 02CF34D9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02CF33F3), ref: 02CF34F3
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02CF34FA
                                                                              • RtlEncodePointer.NTDLL(00000000), ref: 02CF3505
                                                                              • RtlDecodePointer.NTDLL(02CF33F3), ref: 02CF3520
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                              • String ID: RoUninitialize$combase.dll
                                                                              • API String ID: 3489934621-2819208100
                                                                              • Opcode ID: a33781b1d0e89c19bfcb78299458ff73b63022b33f17bffcb44f27efa3630c12
                                                                              • Instruction ID: 0b0598388f4cf5970243c84f81cd6105f10bcb65bd1433a7ecb892252612b5aa
                                                                              • Opcode Fuzzy Hash: a33781b1d0e89c19bfcb78299458ff73b63022b33f17bffcb44f27efa3630c12
                                                                              • Instruction Fuzzy Hash: B7E01A70DC1340BBFA605F60EC4CB053768F744702F200854F102E63E9C7B8AD248A55
                                                                              Function 02CF1E70 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • TlsGetValue.KERNEL32(FFFFFFFF,7378BE13,?,?,?,?,00000000,02D069F8,000000FF,02CF210A), ref: 02CF1EAA
                                                                              • TlsSetValue.KERNEL32(FFFFFFFF,02CF210A,?,?,00000000), ref: 02CF1F17
                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02CF1F41
                                                                              • HeapFree.KERNEL32(00000000), ref: 02CF1F44
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: HeapValue$FreeProcess
                                                                              • String ID:
                                                                              • API String ID: 1812714009-0
                                                                              • Opcode ID: b6cbf6a749ca466583bd8e3aab0a987933602cf38d3fc675ae13fb0978d7f9a0
                                                                              • Instruction ID: 16212725471377563c98be6bc21a908657863765dc570f3b7a53653a505b3218
                                                                              • Opcode Fuzzy Hash: b6cbf6a749ca466583bd8e3aab0a987933602cf38d3fc675ae13fb0978d7f9a0
                                                                              • Instruction Fuzzy Hash: 7E51C035904344DFD7A0CF29C888B16BBE4FB85664F1A8658F91D9B390D7B2ED00CB91
                                                                              Function 02D055C0 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _ValidateScopeTableHandlers.LIBCMT ref: 02D056D0
                                                                              • __FindPESection.LIBCMT ref: 02D056EA
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FindHandlersScopeSectionTableValidate
                                                                              • String ID:
                                                                              • API String ID: 876702719-0
                                                                              • Opcode ID: 6a2b1f1744c2bd65e11351ab5643cdc3ef8e36eff64015269f813866232351cf
                                                                              • Instruction ID: 65d2b89749c06b4e84b3dd455896259e7ad02bc4c0f03e423c52336a36984786
                                                                              • Opcode Fuzzy Hash: 6a2b1f1744c2bd65e11351ab5643cdc3ef8e36eff64015269f813866232351cf
                                                                              • Instruction Fuzzy Hash: 31A19A75A002159FDB24CF58E8C0BAEB7A5FB45324F944669DC56AB3A1E731EC01CFA0
                                                                              Function 00405B24 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStringTypeW.KERNEL32(00000001,004065F4,00000001,00000000,00000103,00000001,00000000,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405B63
                                                                              • GetStringTypeA.KERNEL32(00000000,00000001,004065F0,00000001,?,?,00000000,00000000,00000001), ref: 00405B7D
                                                                              • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405BB1
                                                                              • MultiByteToWideChar.KERNEL32(004051A5,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405BE9
                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405C3F
                                                                              • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405C51
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: StringType$ByteCharMultiWide
                                                                              • String ID:
                                                                              • API String ID: 3852931651-0
                                                                              • Opcode ID: d4209c6b3d3c9ca3d0b98124627720af5477d93fa3c81dc5f6dd6a722f71754a
                                                                              • Instruction ID: b73683cf29d179dc30ac0dacbc12c8afa3e963ef4805c6be7b54428ebd0f8a91
                                                                              • Opcode Fuzzy Hash: d4209c6b3d3c9ca3d0b98124627720af5477d93fa3c81dc5f6dd6a722f71754a
                                                                              • Instruction Fuzzy Hash: 1E417B71500609EFDF219F94DD86AAF7F79EB05750F10443AFA12B6290C339A960CBA9
                                                                              Function 02CE1C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02CE1CB1
                                                                              • CloseHandle.KERNEL32(?), ref: 02CE1CBA
                                                                              • InterlockedExchangeAdd.KERNEL32(02D17244,00000000), ref: 02CE1CC6
                                                                              • TerminateThread.KERNEL32(?,00000000), ref: 02CE1CD4
                                                                              • QueueUserAPC.KERNEL32(02CE1E7C,?,00000000), ref: 02CE1CE1
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02CE1CEC
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                              • String ID:
                                                                              • API String ID: 1946104331-0
                                                                              • Opcode ID: 40991bbb53df36c27b959a72ddb2d35fdb562f65e4879e3754915da3edc6480b
                                                                              • Instruction ID: 6481ff0ad5dc8c74379d4f46d013e055ebfa9bd57c50a101d710284c311a926c
                                                                              • Opcode Fuzzy Hash: 40991bbb53df36c27b959a72ddb2d35fdb562f65e4879e3754915da3edc6480b
                                                                              • Instruction Fuzzy Hash: A9F04431940654BFEB105B96ED4DE97FBBCEB85721B10475DF52AC22A0DBB06D20CB60
                                                                              Function 02CF0800 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02CE9A0C: __EH_prolog.LIBCMT ref: 02CE9A11
                                                                                • Part of subcall function 02CE9A0C: _Allocate.LIBCPMT ref: 02CE9A68
                                                                                • Part of subcall function 02CE9A0C: _memmove.LIBCMT ref: 02CE9ABF
                                                                              • _memset.LIBCMT ref: 02CF0879
                                                                              • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02CF08E2
                                                                              • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02CF08EA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
                                                                              • String ID: Unknown error$invalid string position
                                                                              • API String ID: 1854462395-1837348584
                                                                              • Opcode ID: fbee1a2d20b0c11375414b9cdf1bd18e6cf21d91113572300432c0346e7de05a
                                                                              • Instruction ID: df7497647f5bd76c87f44e77fc76b48c4617a6cd0c11a77a4e6b9f23ec3e5bb5
                                                                              • Opcode Fuzzy Hash: fbee1a2d20b0c11375414b9cdf1bd18e6cf21d91113572300432c0346e7de05a
                                                                              • Instruction Fuzzy Hash: 8E51BF70608341DFE794CF25C890B2EBBE4EB98744F50092DF98297692E771E648CF92
                                                                              Function 02CE2B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 02CE2BE4
                                                                              • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02CE2C07
                                                                                • Part of subcall function 02CEA43C: WSAGetLastError.WS2_32(00000000,?,?,02CE2A51), ref: 02CEA44A
                                                                              • WSASetLastError.WS2_32 ref: 02CE2CD3
                                                                              • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02CE2CE7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$Recvselect
                                                                              • String ID: 3'
                                                                              • API String ID: 886190287-280543908
                                                                              • Opcode ID: 94dd91b88551a0aeefc64d02d5d3f0d73451d1ef7ce3327ab11fc5f66afc2f1a
                                                                              • Instruction ID: 23c7f2ea1d08c27207d0ddb5bb8986917f07167672dcd9ce559252e83d6a57e9
                                                                              • Opcode Fuzzy Hash: 94dd91b88551a0aeefc64d02d5d3f0d73451d1ef7ce3327ab11fc5f66afc2f1a
                                                                              • Instruction Fuzzy Hash: 15416DB19043019FEB509F74C844B6BBBEDBF88754F10491EE99A87290EB70DA50CB92
                                                                              Function 004038A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetVersionExA.KERNEL32 ref: 004038C7
                                                                              • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004038FC
                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040395C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentFileModuleNameVariableVersion
                                                                              • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                              • API String ID: 1385375860-4131005785
                                                                              • Opcode ID: 476567a857e94c6b60ab0a2bb3643b3ab9519d2bf8b3118ed803bebf3e2b5968
                                                                              • Instruction ID: dfbe321087950a958f1f5ebe55e663b38e75b845a74228cdfb1d658b51cb0ff2
                                                                              • Opcode Fuzzy Hash: 476567a857e94c6b60ab0a2bb3643b3ab9519d2bf8b3118ed803bebf3e2b5968
                                                                              • Instruction Fuzzy Hash: A53127B29052446DEB319A705C46BDF3F6C9B02305F2400FBD185F52C2D2B99F85CB18
                                                                              Function 02CF1870 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • std::exception::exception.LIBCMT ref: 02CF18BF
                                                                                • Part of subcall function 02CF2413: std::exception::_Copy_str.LIBCMT ref: 02CF242C
                                                                                • Part of subcall function 02CF0C90: __CxxThrowException@8.LIBCMT ref: 02CF0CEE
                                                                              • std::exception::exception.LIBCMT ref: 02CF191E
                                                                              Strings
                                                                              • boost unique_lock owns already the mutex, xrefs: 02CF190D
                                                                              • boost unique_lock has no mutex, xrefs: 02CF18AE
                                                                              • $, xrefs: 02CF1923
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                              • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                              • API String ID: 2140441600-46888669
                                                                              • Opcode ID: efe32424c2598923697bb788cfe5931c3277bf74c9c5e6c6c49b235cccb1e4d4
                                                                              • Instruction ID: 17fdd00d6a7a9104262c4792be4a88212cc17b8883a8848c354a4b2acf1d782f
                                                                              • Opcode Fuzzy Hash: efe32424c2598923697bb788cfe5931c3277bf74c9c5e6c6c49b235cccb1e4d4
                                                                              • Instruction Fuzzy Hash: 782123B15087809FD3A0DF24C58475BBBE9BB88B08F104A1EF5A587390D7B9D908DF82
                                                                              Function 02CF49BC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __getptd_noexit.LIBCMT ref: 02CF49C0
                                                                                • Part of subcall function 02CF5BB2: GetLastError.KERNEL32(76230A60,7622F550,02CF5DA0,02CF2F73,7622F550,?,02CE606D,00000104,76230A60,7622F550,ntdll.dll,?,?,?,02CE6508), ref: 02CF5BB4
                                                                                • Part of subcall function 02CF5BB2: __calloc_crt.LIBCMT ref: 02CF5BD5
                                                                                • Part of subcall function 02CF5BB2: __initptd.LIBCMT ref: 02CF5BF7
                                                                                • Part of subcall function 02CF5BB2: GetCurrentThreadId.KERNEL32 ref: 02CF5BFE
                                                                                • Part of subcall function 02CF5BB2: SetLastError.KERNEL32(00000000,02CE606D,00000104,76230A60,7622F550,ntdll.dll,?,?,?,02CE6508), ref: 02CF5C16
                                                                              • __calloc_crt.LIBCMT ref: 02CF49E3
                                                                              • __get_sys_err_msg.LIBCMT ref: 02CF4A01
                                                                              • __invoke_watson.LIBCMT ref: 02CF4A1E
                                                                              Strings
                                                                              • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02CF49CB, 02CF49F1
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                                              • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                              • API String ID: 109275364-798102604
                                                                              • Opcode ID: 687537b8933ed9373c2206df2fd623fb52718942ed85daf71ae9c66d36ce63cc
                                                                              • Instruction ID: 5bed723e4b040b7af56b5213663999932738f95e3f342eea53c715d2d93858df
                                                                              • Opcode Fuzzy Hash: 687537b8933ed9373c2206df2fd623fb52718942ed85daf71ae9c66d36ce63cc
                                                                              • Instruction Fuzzy Hash: 17F02432B447056AA7F9691A5C40B2F729DEB806B4B00022AEF85D7300EB218E00E695
                                                                              Function 02CE2341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02CE2350
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02CE2360
                                                                              • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02CE2370
                                                                              • GetLastError.KERNEL32 ref: 02CE237A
                                                                                • Part of subcall function 02CE1712: __EH_prolog.LIBCMT ref: 02CE1717
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                              • String ID: pqcs
                                                                              • API String ID: 1619523792-2559862021
                                                                              • Opcode ID: 2c9f1cff1c4637d840fc40ef6c97b3c771a8d048ed59515231ccc6f123dddaad
                                                                              • Instruction ID: 4ccc692b7f138264fd039b7e9c62205b0a9346fcf2e130b38f633a3e2563cc49
                                                                              • Opcode Fuzzy Hash: 2c9f1cff1c4637d840fc40ef6c97b3c771a8d048ed59515231ccc6f123dddaad
                                                                              • Instruction Fuzzy Hash: 77F05B71940304AFEB106F74DC49F6B77BCEB40601F104655E90AD7654E7B0ED149B51
                                                                              Function 02CE4030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE4035
                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02CE4042
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02CE4049
                                                                              • std::exception::exception.LIBCMT ref: 02CE4063
                                                                                • Part of subcall function 02CEA5FD: __EH_prolog.LIBCMT ref: 02CEA602
                                                                                • Part of subcall function 02CEA5FD: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02CEA611
                                                                                • Part of subcall function 02CEA5FD: __CxxThrowException@8.LIBCMT ref: 02CEA630
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                              • String ID: bad allocation
                                                                              • API String ID: 3112922283-2104205924
                                                                              • Opcode ID: 09341d09bbef38dd962b8809c9a37c0677bda7ae10fd110481a83d41bd618783
                                                                              • Instruction ID: f9596c46a529298e61a215be350498fab1fb37ece040cabe9911dcdafdaee9ad
                                                                              • Opcode Fuzzy Hash: 09341d09bbef38dd962b8809c9a37c0677bda7ae10fd110481a83d41bd618783
                                                                              • Instruction Fuzzy Hash: 6BF05E71D442099BDB00EFE0D949BAFBB78FB04300F904559E915A6390D7755A148F61
                                                                              Function 004036D0 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStartupInfoA.KERNEL32(?), ref: 00403729
                                                                              • GetFileType.KERNEL32(00000800), ref: 004037CF
                                                                              • GetStdHandle.KERNEL32(-000000F6), ref: 00403828
                                                                              • GetFileType.KERNEL32(00000000), ref: 00403836
                                                                              • SetHandleCount.KERNEL32 ref: 0040386D
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: FileHandleType$CountInfoStartup
                                                                              • String ID:
                                                                              • API String ID: 1710529072-0
                                                                              • Opcode ID: 1ce75c326bde2c2d02afe177aeb4995e441bbd179d01f1070c3041f2ee44749b
                                                                              • Instruction ID: 340931fb5571d0dd89e9413526c141aa1936fc067e7847d678db743c6b9c99aa
                                                                              • Opcode Fuzzy Hash: 1ce75c326bde2c2d02afe177aeb4995e441bbd179d01f1070c3041f2ee44749b
                                                                              • Instruction Fuzzy Hash: A65136B25003508BD7209F28CD48B563FE8EB01336F19C67AE492EB2E1C738C955C75A
                                                                              Function 02CF1BC0 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02CF1990: CloseHandle.KERNEL32(00000000,7378BE13), ref: 02CF19E1
                                                                                • Part of subcall function 02CF1990: WaitForSingleObject.KERNEL32(?,000000FF,7378BE13,?,?,?,?,7378BE13,02CF1963,7378BE13), ref: 02CF19F8
                                                                              • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02CF1C5E
                                                                              • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02CF1C7E
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02CF1CB7
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02CF1D0B
                                                                              • SetEvent.KERNEL32(?), ref: 02CF1D12
                                                                                • Part of subcall function 02CE418C: CloseHandle.KERNEL32(00000000,?,02CF1C45), ref: 02CE41B0
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                              • String ID:
                                                                              • API String ID: 4166353394-0
                                                                              • Opcode ID: 21caa5e4cbd5bd4ac39848f31a59787a4263ed53f6a008cdaaf7fb0e2d249dba
                                                                              • Instruction ID: 8b2300014f3b2eb4f4d83fbdae7a3f3ba014c3315594414ddbbf48d2a0a58c9c
                                                                              • Opcode Fuzzy Hash: 21caa5e4cbd5bd4ac39848f31a59787a4263ed53f6a008cdaaf7fb0e2d249dba
                                                                              • Instruction Fuzzy Hash: 4241F231A00701CBEBA6CF29CC80B1677A4EF85724F290668ED19EB395D775DD118BE1
                                                                              Function 02CEE02B Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CEE030
                                                                                • Part of subcall function 02CE1A01: TlsGetValue.KERNEL32 ref: 02CE1A0A
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CEE0AF
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02CEE0CB
                                                                              • InterlockedIncrement.KERNEL32(02D15180), ref: 02CEE0F0
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02CEE105
                                                                                • Part of subcall function 02CE27F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02CE284E
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                              • String ID:
                                                                              • API String ID: 1578506061-0
                                                                              • Opcode ID: 02d83d38ab904c626cfb5f3263ed1c711a0f3c444f280cfd3cd129a6d72ee758
                                                                              • Instruction ID: 5fbace7f8638f4753b437f50f25424ce03efc99ca47856a3d457751aa61a6ee3
                                                                              • Opcode Fuzzy Hash: 02d83d38ab904c626cfb5f3263ed1c711a0f3c444f280cfd3cd129a6d72ee758
                                                                              • Instruction Fuzzy Hash: 1F3157B1D00204AFCB10DFA8C444AAABBF8FF48310F14895EE84AD7640E775AA14DFA0
                                                                              Function 02CE29EE Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 02CE2A3B
                                                                              • closesocket.WS2_32 ref: 02CE2A42
                                                                              • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02CE2A89
                                                                              • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02CE2A97
                                                                              • closesocket.WS2_32 ref: 02CE2A9E
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLastclosesocket$ioctlsocket
                                                                              • String ID:
                                                                              • API String ID: 1561005644-0
                                                                              • Opcode ID: 52faaaabd8924bc2098f94b92e713ebe78dd3d2484bf43a0c9850ee97cbce795
                                                                              • Instruction ID: 431a637e8cb26aad60b1a417ea73ec7f8864c73ce1011c5347aa1a4ca4b702f1
                                                                              • Opcode Fuzzy Hash: 52faaaabd8924bc2098f94b92e713ebe78dd3d2484bf43a0c9850ee97cbce795
                                                                              • Instruction Fuzzy Hash: 5F210871940305AFEF20ABB8C844B6AB7EDAF88315F104969ED06C3241EB70DE458B52
                                                                              Function 02CE1BA7 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE1BAC
                                                                              • RtlEnterCriticalSection.NTDLL ref: 02CE1BBC
                                                                              • RtlLeaveCriticalSection.NTDLL ref: 02CE1BEA
                                                                              • RtlEnterCriticalSection.NTDLL ref: 02CE1C13
                                                                              • RtlLeaveCriticalSection.NTDLL ref: 02CE1C56
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeave$H_prolog
                                                                              • String ID:
                                                                              • API String ID: 1633115879-0
                                                                              • Opcode ID: cbaab3f7e112be45371a50ab454f0e20572c9ca60a323ae19d7d215cbab0d842
                                                                              • Instruction ID: 9d477a3d212d3bd1a2654afe827c5f9f1ed550fb95b6d29b7ea02e5f2f4faff4
                                                                              • Opcode Fuzzy Hash: cbaab3f7e112be45371a50ab454f0e20572c9ca60a323ae19d7d215cbab0d842
                                                                              • Instruction Fuzzy Hash: FC21ADB5900644AFDF14CF68D484B9ABBB5FF88310F248589EC5A9B301D7B0EE11CBA0
                                                                              Function 02D002E4 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _malloc.LIBCMT ref: 02D002F0
                                                                                • Part of subcall function 02CF2EEC: __FF_MSGBANNER.LIBCMT ref: 02CF2F03
                                                                                • Part of subcall function 02CF2EEC: __NMSG_WRITE.LIBCMT ref: 02CF2F0A
                                                                                • Part of subcall function 02CF2EEC: RtlAllocateHeap.NTDLL(00880000,00000000,00000001), ref: 02CF2F2F
                                                                              • _free.LIBCMT ref: 02D00303
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateHeap_free_malloc
                                                                              • String ID:
                                                                              • API String ID: 1020059152-0
                                                                              • Opcode ID: 5fbd08514ec8fd20f9bd89bff6e1afc3f03bd6f46c0e234798a1150348126c4a
                                                                              • Instruction ID: 308acc63fff42f7b695d1f76f16e1daab200006ab793d2269707f3d68d004ee5
                                                                              • Opcode Fuzzy Hash: 5fbd08514ec8fd20f9bd89bff6e1afc3f03bd6f46c0e234798a1150348126c4a
                                                                              • Instruction Fuzzy Hash: 10110A32809615BBDBA62F70A88875A37999F043A2B114925FB898A3F0DB30DC50DA90
                                                                              Function 02CE21D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE21DA
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CE21ED
                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02CE2224
                                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02CE2237
                                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02CE2261
                                                                                • Part of subcall function 02CE2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02CE2350
                                                                                • Part of subcall function 02CE2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02CE2360
                                                                                • Part of subcall function 02CE2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02CE2370
                                                                                • Part of subcall function 02CE2341: GetLastError.KERNEL32 ref: 02CE237A
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 1856819132-0
                                                                              • Opcode ID: e2930ed5a241be01d657943c8831ed3d73dce645a4bc26dd9f03480ae6ac4655
                                                                              • Instruction ID: c84fe914e5c0fb3dc8baadd00c1cd42a3c4b10d89020730c1f533b8c684ad019
                                                                              • Opcode Fuzzy Hash: e2930ed5a241be01d657943c8831ed3d73dce645a4bc26dd9f03480ae6ac4655
                                                                              • Instruction Fuzzy Hash: 2011A271D44214EBDF159FA4D844BAEFBBAFF44310F10461AEC1692270D7714A52DF81
                                                                              Function 02CE2298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE229D
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CE22B0
                                                                              • TlsGetValue.KERNEL32 ref: 02CE22E7
                                                                              • TlsSetValue.KERNEL32(?), ref: 02CE2300
                                                                              • TlsSetValue.KERNEL32(?,?,?), ref: 02CE231C
                                                                                • Part of subcall function 02CE2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02CE2350
                                                                                • Part of subcall function 02CE2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02CE2360
                                                                                • Part of subcall function 02CE2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02CE2370
                                                                                • Part of subcall function 02CE2341: GetLastError.KERNEL32 ref: 02CE237A
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 1856819132-0
                                                                              • Opcode ID: 10e336f01cc491e4e2390ad2740ae23b4a28d4b58095c5aa1ffa88f6f9fa76f9
                                                                              • Instruction ID: 37b6f10f3bc9ba95f58e3a379345c0579f690095927e80b64bac73ffc07447ec
                                                                              • Opcode Fuzzy Hash: 10e336f01cc491e4e2390ad2740ae23b4a28d4b58095c5aa1ffa88f6f9fa76f9
                                                                              • Instruction Fuzzy Hash: E3115E72D40118ABDF05AFA5E844AAEFBBAFF48310F14851AE805A3360D7715A62DF91
                                                                              Function 02CEBC45 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02CEB098: __EH_prolog.LIBCMT ref: 02CEB09D
                                                                              • __CxxThrowException@8.LIBCMT ref: 02CEBC62
                                                                                • Part of subcall function 02CF449A: RaiseException.KERNEL32(?,?,02CEFA92,?,?,?,?,?,?,?,02CEFA92,?,02D10F78,?), ref: 02CF44EF
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02D11D94,?,00000001), ref: 02CEBC78
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02CEBC8B
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02D11D94,?,00000001), ref: 02CEBC9B
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02CEBCA9
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                              • String ID:
                                                                              • API String ID: 2725315915-0
                                                                              • Opcode ID: b214842e61db087dff1cf48eba302dc1c04b3b2e65ecab45827895c10d1b2ba0
                                                                              • Instruction ID: 65abde8511d35e35be455a77cbcdb1796992bc2abe0c6f21161754c8a5ebac40
                                                                              • Opcode Fuzzy Hash: b214842e61db087dff1cf48eba302dc1c04b3b2e65ecab45827895c10d1b2ba0
                                                                              • Instruction Fuzzy Hash: 1E0181B2A44705AFEB109AB4DCC9F96B7BDFB04359F104924F62AD6290DB60EC059B20
                                                                              Function 02CE2420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02CE2432
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02CE2445
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02CE2454
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02CE2469
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02CE2470
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 747265849-0
                                                                              • Opcode ID: 5fa207242d720e73794fcd517769ad4184fb3f15247be7be5e82ded73b861611
                                                                              • Instruction ID: aa6bb4835fa5158b3fd13ec8b18f3ff8321af143427f3ae9a800e3c2635378d3
                                                                              • Opcode Fuzzy Hash: 5fa207242d720e73794fcd517769ad4184fb3f15247be7be5e82ded73b861611
                                                                              • Instruction Fuzzy Hash: ECF09072640200BBEB009FA0ED89FDAB73CFF44711F900511F702DA194D7A0BA20CBA1
                                                                              Function 02CE1EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedIncrement.KERNEL32(?), ref: 02CE1ED2
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02CE1EEA
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02CE1EF9
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02CE1F0E
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02CE1F15
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 830998967-0
                                                                              • Opcode ID: a81bfc1813c9528852662b54466f09d8e9c3cafd67cbaefc82650b130ddb847c
                                                                              • Instruction ID: 16c81db40a71b76143337bb8e4176f2902eb848798101fc8a2249f6b5dca21e3
                                                                              • Opcode Fuzzy Hash: a81bfc1813c9528852662b54466f09d8e9c3cafd67cbaefc82650b130ddb847c
                                                                              • Instruction Fuzzy Hash: 8CF06732640205BBEB00AFA0EC88FDABB3CFF04351F100512F2028A555C7B1BA248BE0
                                                                              Function 02CE8682 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _memmove
                                                                              • String ID: invalid string position$string too long
                                                                              • API String ID: 4104443479-4289949731
                                                                              • Opcode ID: 3da69be23161c7c42281739095308f637c4c6b6b8038d8cfb2139d6faceebd56
                                                                              • Instruction ID: cf3bf60b55f612cb9d1bf108a7df8f963e0d3edae4b3950eecca2c5009ed0a2a
                                                                              • Opcode Fuzzy Hash: 3da69be23161c7c42281739095308f637c4c6b6b8038d8cfb2139d6faceebd56
                                                                              • Instruction Fuzzy Hash: CF419071300345AFDF34DE69D885A5ABBAAEB81714B000A2DF957CB7A1C770E944CB90
                                                                              Function 02CE30AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 02CE30C3
                                                                              • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02CE3102
                                                                              • _memcmp.LIBCMT ref: 02CE3141
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressErrorLastString_memcmp
                                                                              • String ID: 255.255.255.255
                                                                              • API String ID: 1618111833-2422070025
                                                                              • Opcode ID: ec64595cb1d9cbf22ae4ccb7e1e3ec165c1f430be5037988e137d5b24fd99ff7
                                                                              • Instruction ID: 704b02f3fd986471995394cd4139c9c34d9a5bb06e4ddb7ec26738aadf46ff1e
                                                                              • Opcode Fuzzy Hash: ec64595cb1d9cbf22ae4ccb7e1e3ec165c1f430be5037988e137d5b24fd99ff7
                                                                              • Instruction Fuzzy Hash: DD31A1719003449FDF209F64CC80B7EB7A5BF85324F1085ADE96A9B390DB72AA458B90
                                                                              Function 02CE1F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE1F5B
                                                                              • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02CE1FC5
                                                                              • GetLastError.KERNEL32(?,00000000), ref: 02CE1FD2
                                                                                • Part of subcall function 02CE1712: __EH_prolog.LIBCMT ref: 02CE1717
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                              • String ID: iocp
                                                                              • API String ID: 998023749-976528080
                                                                              • Opcode ID: 336786b89a62fe2647af64fbc6a517b48949c637fb4ebb0bb44fae9583cd167d
                                                                              • Instruction ID: dc3ba7cd6568e1d0a195303470bbb1f7943850cf8e65e35e6dcaa39e7daf1e45
                                                                              • Opcode Fuzzy Hash: 336786b89a62fe2647af64fbc6a517b48949c637fb4ebb0bb44fae9583cd167d
                                                                              • Instruction Fuzzy Hash: 4C21A5B1901B449BC720DF6AD54455BFBF9FF94720B108A1FD4A687BA0D7B0AA04CF91
                                                                              Function 02CF3A8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _malloc.LIBCMT ref: 02CF3AA7
                                                                                • Part of subcall function 02CF2EEC: __FF_MSGBANNER.LIBCMT ref: 02CF2F03
                                                                                • Part of subcall function 02CF2EEC: __NMSG_WRITE.LIBCMT ref: 02CF2F0A
                                                                                • Part of subcall function 02CF2EEC: RtlAllocateHeap.NTDLL(00880000,00000000,00000001), ref: 02CF2F2F
                                                                              • std::exception::exception.LIBCMT ref: 02CF3AC5
                                                                              • __CxxThrowException@8.LIBCMT ref: 02CF3ADA
                                                                                • Part of subcall function 02CF449A: RaiseException.KERNEL32(?,?,02CEFA92,?,?,?,?,?,?,?,02CEFA92,?,02D10F78,?), ref: 02CF44EF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                              • String ID: bad allocation
                                                                              • API String ID: 3074076210-2104205924
                                                                              • Opcode ID: a737d0625fc7e2f4551f975fd37f0b3d18c8045933278863ed6b1cdc7902399b
                                                                              • Instruction ID: c9396b696652c62e5e108d23e64ef943485718055fdc8f59cad8745e1ee4fff6
                                                                              • Opcode Fuzzy Hash: a737d0625fc7e2f4551f975fd37f0b3d18c8045933278863ed6b1cdc7902399b
                                                                              • Instruction Fuzzy Hash: 20E0E53094034EBADFC0FFA1DC04EEFBB69AF00305F100691EE14A2690EB718B04E9A1
                                                                              Function 02CE37B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE37B6
                                                                              • __localtime64.LIBCMT ref: 02CE37C1
                                                                                • Part of subcall function 02CF2540: __gmtime64_s.LIBCMT ref: 02CF2553
                                                                              • std::exception::exception.LIBCMT ref: 02CE37D9
                                                                                • Part of subcall function 02CF2413: std::exception::_Copy_str.LIBCMT ref: 02CF242C
                                                                                • Part of subcall function 02CEA45B: __EH_prolog.LIBCMT ref: 02CEA460
                                                                                • Part of subcall function 02CEA45B: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02CEA46F
                                                                                • Part of subcall function 02CEA45B: __CxxThrowException@8.LIBCMT ref: 02CEA48E
                                                                              Strings
                                                                              • could not convert calendar time to UTC time, xrefs: 02CE37CE
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                              • String ID: could not convert calendar time to UTC time
                                                                              • API String ID: 1963798777-2088861013
                                                                              • Opcode ID: a9cbee799159eacccfbe2f5c80b3f5c4dec2bdcc27aca9ac1f75e40ab68d9c0a
                                                                              • Instruction ID: df463fd273410ba7730dd44019e09b8e523f3c6606e139999c18c07d544c636f
                                                                              • Opcode Fuzzy Hash: a9cbee799159eacccfbe2f5c80b3f5c4dec2bdcc27aca9ac1f75e40ab68d9c0a
                                                                              • Instruction Fuzzy Hash: FAE06DB1D0020A9ACF04EF90D9947BEB779FF04300F404599DC25A33A0EB745A0A9E95
                                                                              Function 00403E3A Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(?,00008000,00004000,7622DFF0,?,00000000), ref: 00404092
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 004040ED
                                                                              • HeapFree.KERNEL32(00000000,?), ref: 004040FF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: Free$Virtual$Heap
                                                                              • String ID: -@
                                                                              • API String ID: 2016334554-2999422947
                                                                              • Opcode ID: 9c389c61e5a6cd43db9238f188d86346d40478f5c1fa1013f45f36ce2e9b1707
                                                                              • Instruction ID: d55dda63c6158a3f001c35490e62a79414290c04420ce97baa52a0c06dad31a7
                                                                              • Opcode Fuzzy Hash: 9c389c61e5a6cd43db9238f188d86346d40478f5c1fa1013f45f36ce2e9b1707
                                                                              • Instruction Fuzzy Hash: D1B16C75A00205DFDB24CF04CA90AA9BBB1FB88314F24C1AED9196F396C735EE41CB84
                                                                              Function 02CFC329 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AdjustPointer_memmove
                                                                              • String ID:
                                                                              • API String ID: 1721217611-0
                                                                              • Opcode ID: fa47196cc5ef295d1d26026ed1786c0555a756425a1e0805aaf531a20d1587df
                                                                              • Instruction ID: cef6198a808c6dcaf11ff943d44c29e7c6c7aede823493bc8e0fa35fc8f5f890
                                                                              • Opcode Fuzzy Hash: fa47196cc5ef295d1d26026ed1786c0555a756425a1e0805aaf531a20d1587df
                                                                              • Instruction Fuzzy Hash: AC41B63730430A5AEBE4DE65D880B7E3BA6DF81314F14441FEA498A1F0DB31EB84DA25
                                                                              Function 02CF1260 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02CE4149), ref: 02CF12FF
                                                                                • Part of subcall function 02CE3FDC: __EH_prolog.LIBCMT ref: 02CE3FE1
                                                                                • Part of subcall function 02CE3FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 02CE3FF3
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CF12F4
                                                                              • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02CE4149), ref: 02CF1340
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02CE4149), ref: 02CF1411
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandle$Event$CreateH_prolog
                                                                              • String ID:
                                                                              • API String ID: 2825413587-0
                                                                              • Opcode ID: f2217defa6bb13ce69e521c3cb5874ac8965240a9887d3ca0d3a34dcb179d436
                                                                              • Instruction ID: 439a4e49c62fa1b1f26f1b6d9e3791327ab4010ed73253adc67cbb5ee6529fc3
                                                                              • Opcode Fuzzy Hash: f2217defa6bb13ce69e521c3cb5874ac8965240a9887d3ca0d3a34dcb179d436
                                                                              • Instruction Fuzzy Hash: 5451D071A00345CBDF91DF28C884B9AB7E4BF88328F190628E96D97390D775E909CF81
                                                                              Function 02CF36F0 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                              • String ID:
                                                                              • API String ID: 2782032738-0
                                                                              • Opcode ID: 4b00bb2f2e8909ad1b25914f564552747ffa73792e7b52f6c639d3ed484d2925
                                                                              • Instruction ID: 9857fb15ab3416d7039e2e42e05f5d9843a793d089ec54c8332dbe5f2ed0703a
                                                                              • Opcode Fuzzy Hash: 4b00bb2f2e8909ad1b25914f564552747ffa73792e7b52f6c639d3ed484d2925
                                                                              • Instruction Fuzzy Hash: 994118B5B007C5BBDBD88F69C9805AE77A6AF80364B2081BFEA15C7240D774DE41CB50
                                                                              Function 02CFFE55 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02CFFE8B
                                                                              • __isleadbyte_l.LIBCMT ref: 02CFFEB9
                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 02CFFEE7
                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 02CFFF1D
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                              • String ID:
                                                                              • API String ID: 3058430110-0
                                                                              • Opcode ID: fa4b3440344947e4110f1a7a8fec722aad74d443af4627941c03accf65ae78b4
                                                                              • Instruction ID: 22ca48530bcd8aeda5633cd6a4a7f5e2268b7b0c5e1015125a04681141429c27
                                                                              • Opcode Fuzzy Hash: fa4b3440344947e4110f1a7a8fec722aad74d443af4627941c03accf65ae78b4
                                                                              • Instruction Fuzzy Hash: A531F531600286AFEBA18E35CC44BAA7BE9FF81314F16402CFA68C75E1E731D951DB90
                                                                              Function 004047B2 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(FFFFFFFF,00001000,00004000,7622DFF0,?,00000000,?,-@,0040490E,00000010,00402FA3,?,?), ref: 004047F0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: FreeVirtual
                                                                              • String ID: -@$r@$r@
                                                                              • API String ID: 1263568516-1251997348
                                                                              • Opcode ID: db728298b98a3dab2ecdb4dab480861bd9016d5beafec50a15f5b98851f5bcbc
                                                                              • Instruction ID: a63ca1888fca441bf056fbcf5d5deb39584b298cc2094c54b415f4e68fc1e946
                                                                              • Opcode Fuzzy Hash: db728298b98a3dab2ecdb4dab480861bd9016d5beafec50a15f5b98851f5bcbc
                                                                              • Instruction Fuzzy Hash: EE21A1B66003419BDB20AB24DD4476633A4EB81379F24CA3BDB65B66D0D378E941CB58
                                                                              Function 02CE3D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • htons.WS2_32(?), ref: 02CE3DA2
                                                                                • Part of subcall function 02CE3BD3: __EH_prolog.LIBCMT ref: 02CE3BD8
                                                                                • Part of subcall function 02CE3BD3: std::bad_exception::bad_exception.LIBCMT ref: 02CE3BED
                                                                              • htonl.WS2_32(00000000), ref: 02CE3DB9
                                                                              • htonl.WS2_32(00000000), ref: 02CE3DC0
                                                                              • htons.WS2_32(?), ref: 02CE3DD4
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                              • String ID:
                                                                              • API String ID: 3882411702-0
                                                                              • Opcode ID: dad913dfacea17f7105f12dc55b3483079f837e08e2cfb4cac1b7c28b6a70677
                                                                              • Instruction ID: eb15aea4570dc445aa879f893a6cb327751b634cacc0b9cb17eb1cccd195e103
                                                                              • Opcode Fuzzy Hash: dad913dfacea17f7105f12dc55b3483079f837e08e2cfb4cac1b7c28b6a70677
                                                                              • Instruction Fuzzy Hash: 2611CE36A00249EFDF01AF64D885AAAB7B9EF08310F008496FD05DF255D671EE14CBA1
                                                                              Function 02CE239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 02CE23D0
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02CE23DE
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02CE2401
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02CE2408
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 4018804020-0
                                                                              • Opcode ID: 7717d75c130d20e45af4b2f6b0a4f69b3592263df10aa5bc4e86a2907bcf99ee
                                                                              • Instruction ID: 6db6280d2d137d33070179c5199fac9ec88b07b735d9168800abb317e4138652
                                                                              • Opcode Fuzzy Hash: 7717d75c130d20e45af4b2f6b0a4f69b3592263df10aa5bc4e86a2907bcf99ee
                                                                              • Instruction Fuzzy Hash: 29118E72A00205ABEB109F61D984FAABBBDFF44705F10446DE9029B250E7B1FE51DFA1
                                                                              Function 02CE2EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 02CE2EEE
                                                                              • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02CE2EFD
                                                                              • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02CE2F0C
                                                                              • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02CE2F36
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$Socketsetsockopt
                                                                              • String ID:
                                                                              • API String ID: 2093263913-0
                                                                              • Opcode ID: f3859f0fd865f70af7311df66bc92340c3efa66308b82d91ee1935587ace9ae9
                                                                              • Instruction ID: 701e3386a8b8e4a5697d13c72003ad5f14c865f8e71047f8acaa7a97074413e2
                                                                              • Opcode Fuzzy Hash: f3859f0fd865f70af7311df66bc92340c3efa66308b82d91ee1935587ace9ae9
                                                                              • Instruction Fuzzy Hash: 6301D871940304BBDB209F75DC88F5ABBADEB89721F00C565FA09CB291C7708D008BB1
                                                                              Function 02CFC77B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                              • String ID:
                                                                              • API String ID: 3016257755-0
                                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                              • Instruction ID: 113c83c38bdc4bc611511c1739a9d07e11a2297a2290037bc06f7e828252d76e
                                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                              • Instruction Fuzzy Hash: 94014C3250014EBBCF92AE84DC418EE3F27BB48358B498416FB1899130D737C6B1EB81
                                                                              Function 02CE247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02CE24A9
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02CE24B8
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02CE24CD
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02CE24D4
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 4018804020-0
                                                                              • Opcode ID: 970ed2a69eb149f6bd153f1b7ff7c23d2becff6031b4e01d33f660caa65b7644
                                                                              • Instruction ID: 0c290cc296ffdf6daf65f1fccd50cd688d8e2b2820088ea3661ee4f6cf2a226e
                                                                              • Opcode Fuzzy Hash: 970ed2a69eb149f6bd153f1b7ff7c23d2becff6031b4e01d33f660caa65b7644
                                                                              • Instruction Fuzzy Hash: 4BF03C72540205AFEB009F69EC84F9ABBBCFF45710F104519FA05CA255D7B1E9608FA1
                                                                              Function 02CE2004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE2009
                                                                              • RtlDeleteCriticalSection.NTDLL(?), ref: 02CE2028
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CE2037
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02CE204E
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                              • String ID:
                                                                              • API String ID: 2456309408-0
                                                                              • Opcode ID: b964a407d8a0b402225bc265492cc16f5a7cf984ffc23daaa86e31a8ff0fc910
                                                                              • Instruction ID: 36d949c6a85ae2567019eeac30db7ecbfa43b5fa6f3f43dbae5bd0380ad04343
                                                                              • Opcode Fuzzy Hash: b964a407d8a0b402225bc265492cc16f5a7cf984ffc23daaa86e31a8ff0fc910
                                                                              • Instruction Fuzzy Hash: EA0181718006449BDB39AF54E948BAAFBB9FF04704F104A5DE947826E0CB746A48CF95
                                                                              Function 02CE1E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Event$H_prologSleep
                                                                              • String ID:
                                                                              • API String ID: 1765829285-0
                                                                              • Opcode ID: 7a561ef975442e3a1a3d4f231eaa20f6ef4d04a0710874eb61758c658d4cff9b
                                                                              • Instruction ID: dac21d3dc109c1a2c5917cb18feb11348a251428ea20b5a2a8ac85efb1c78c8c
                                                                              • Opcode Fuzzy Hash: 7a561ef975442e3a1a3d4f231eaa20f6ef4d04a0710874eb61758c658d4cff9b
                                                                              • Instruction Fuzzy Hash: EBF03035A40110DFDB009F94E8C8B88BBB4FF09311F5082A9FA199B3A4C7759C54CB61
                                                                              Function 0040475C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 27memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,r@,0040485C,r@,7622DFF0,?,00000000,?,-@,0040490E,00000010,00402FA3), ref: 0040476B
                                                                              • HeapFree.KERNEL32(00000000,?), ref: 004047A1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: Free$HeapVirtual
                                                                              • String ID: r@$r@
                                                                              • API String ID: 3783212868-1712950306
                                                                              • Opcode ID: 615be266f2133a35edff91ca5e545c140f31fce35e26d2f64644c01e7612d901
                                                                              • Instruction ID: 9f28707f468f96f8ba01f1c404cbd9d3f6c084a3717c71e7c0065962692db169
                                                                              • Opcode Fuzzy Hash: 615be266f2133a35edff91ca5e545c140f31fce35e26d2f64644c01e7612d901
                                                                              • Instruction Fuzzy Hash: C6F01774544210DFC3248F08EE08A427BA0FB88720B11867EF996672E1C371AC50CF88
                                                                              Function 02CE9E88 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog_memmove
                                                                              • String ID: &'
                                                                              • API String ID: 3529519853-655172784
                                                                              • Opcode ID: aa4c42e8120445066f843c4131744e37d1bc602b4d9e863a987cd10e5dc1c89b
                                                                              • Instruction ID: 81941f175b0f909e934c2ab2a5f17033ebaa798324cfe21679ddb9c37540b7ab
                                                                              • Opcode Fuzzy Hash: aa4c42e8120445066f843c4131744e37d1bc602b4d9e863a987cd10e5dc1c89b
                                                                              • Instruction Fuzzy Hash: 69617E72D00219DFDF20EFA4C980BEDBBB6AF48310F14416AD50AAB290D7719A45DFA1
                                                                              Function 00404EBD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCPInfo.KERNEL32(?,00000000), ref: 00404ED1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: Info
                                                                              • String ID: $
                                                                              • API String ID: 1807457897-3032137957
                                                                              • Opcode ID: ade2e129719512a706aeac876f0a8c01095c6a06ec5d81e25aee3eb1febfb5f9
                                                                              • Instruction ID: e64d793a5bd47a750bf71bc710b27f1b951018593c94bf49e3c2bba34da37a12
                                                                              • Opcode Fuzzy Hash: ade2e129719512a706aeac876f0a8c01095c6a06ec5d81e25aee3eb1febfb5f9
                                                                              • Instruction Fuzzy Hash: 1D416B710142985EEB169714CE59FEB3FE8EB02704F1404F6DA49F61D2C2794924DBBB
                                                                              Function 02CE2DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02CE2D39: WSASetLastError.WS2_32(00000000), ref: 02CE2D47
                                                                                • Part of subcall function 02CE2D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02CE2D5C
                                                                              • WSASetLastError.WS2_32(00000000), ref: 02CE2E6D
                                                                              • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02CE2E83
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$Sendselect
                                                                              • String ID: 3'
                                                                              • API String ID: 2958345159-280543908
                                                                              • Opcode ID: c17b07d2628e9811fae23fa09fac7ba8d48e4888458f8d7512323cf1d53beb87
                                                                              • Instruction ID: 9bef0ddb2e82011950632879ea94c6a803283ee6aaad6503f75acc6d05605d01
                                                                              • Opcode Fuzzy Hash: c17b07d2628e9811fae23fa09fac7ba8d48e4888458f8d7512323cf1d53beb87
                                                                              • Instruction Fuzzy Hash: 6931C0B1E002199FDF10EF60C804BEE7BAEBF48314F00455ADE0A97281E7709A95DFA1
                                                                              Function 02CE959C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02CE8306,?,?,00000000), ref: 02CE9603
                                                                              • getsockname.WS2_32(?,?,?), ref: 02CE9619
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLastgetsockname
                                                                              • String ID: &'
                                                                              • API String ID: 566540725-655172784
                                                                              • Opcode ID: e20bb6dbf32ba210abc2a03b3d22330a3b525891e16c892abcf47c7dfde842e4
                                                                              • Instruction ID: 8c96ff1afb15fd174675136807e886e7e5c5832295e3cba19ba9873cd980ae89
                                                                              • Opcode Fuzzy Hash: e20bb6dbf32ba210abc2a03b3d22330a3b525891e16c892abcf47c7dfde842e4
                                                                              • Instruction Fuzzy Hash: 242151B2A00208DFDB50DF78D844ADEB7F5FF4C324F11856AE919EB281D730A9558B90
                                                                              Function 02CECBE2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CECBE7
                                                                                • Part of subcall function 02CED1C3: std::exception::exception.LIBCMT ref: 02CED1F2
                                                                                • Part of subcall function 02CED979: __EH_prolog.LIBCMT ref: 02CED97E
                                                                                • Part of subcall function 02CF3A8F: _malloc.LIBCMT ref: 02CF3AA7
                                                                                • Part of subcall function 02CED222: __EH_prolog.LIBCMT ref: 02CED227
                                                                              Strings
                                                                              • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02CECC1D
                                                                              • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02CECC24
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$_mallocstd::exception::exception
                                                                              • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                              • API String ID: 1953324306-1943798000
                                                                              • Opcode ID: 5f0d8f207734461fabc9e17a34c47e776de379a7ecfc54c1a80a8b68c902a3b5
                                                                              • Instruction ID: 5c14591166054b5285a109a54c007632a7898a13f95971ebd0261b1975100462
                                                                              • Opcode Fuzzy Hash: 5f0d8f207734461fabc9e17a34c47e776de379a7ecfc54c1a80a8b68c902a3b5
                                                                              • Instruction Fuzzy Hash: F8219E71E00284AADF18EFE4E954AAEBBB9EF14700F00405EE807A73A0DB705E45DF91
                                                                              Function 02CECCD7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CECCDC
                                                                                • Part of subcall function 02CED29A: std::exception::exception.LIBCMT ref: 02CED2C7
                                                                                • Part of subcall function 02CEDAB0: __EH_prolog.LIBCMT ref: 02CEDAB5
                                                                                • Part of subcall function 02CF3A8F: _malloc.LIBCMT ref: 02CF3AA7
                                                                                • Part of subcall function 02CED2F7: __EH_prolog.LIBCMT ref: 02CED2FC
                                                                              Strings
                                                                              • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02CECD12
                                                                              • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02CECD19
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$_mallocstd::exception::exception
                                                                              • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                              • API String ID: 1953324306-412195191
                                                                              • Opcode ID: 4d5b675e6a10a681356a2920a0e6f37f49f1a75a6fafeef4fb8b68257a6350c0
                                                                              • Instruction ID: 6a8008ab2390eeb58ab4ccf7e497c27a46739dc878cdc125082fb47bb8f0b1eb
                                                                              • Opcode Fuzzy Hash: 4d5b675e6a10a681356a2920a0e6f37f49f1a75a6fafeef4fb8b68257a6350c0
                                                                              • Instruction Fuzzy Hash: 65216D71E00288AAEF18EFE4E454BADBBB9EF54304F00415DE907A73A0DBB05E45DB91
                                                                              Function 02CE2AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 02CE2AEA
                                                                              • connect.WS2_32(?,?,?), ref: 02CE2AF5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLastconnect
                                                                              • String ID: 3'
                                                                              • API String ID: 374722065-280543908
                                                                              • Opcode ID: eaa6b708fc15b8964ec7edae9bf0d7590fdc8304f7327b07ae617e50c4c5892b
                                                                              • Instruction ID: 0519dad811d5e2fb174619879a64a978d134a0fc3da80d55867564222baa699a
                                                                              • Opcode Fuzzy Hash: eaa6b708fc15b8964ec7edae9bf0d7590fdc8304f7327b07ae617e50c4c5892b
                                                                              • Instruction Fuzzy Hash: F5219571E00204ABDF14AFB4C804BBEBBBEEF84724F008559DD1A97285DB745A159F92
                                                                              Function 02CE534D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _malloc.LIBCMT ref: 02CE535D
                                                                                • Part of subcall function 02CF2EEC: __FF_MSGBANNER.LIBCMT ref: 02CF2F03
                                                                                • Part of subcall function 02CF2EEC: __NMSG_WRITE.LIBCMT ref: 02CF2F0A
                                                                                • Part of subcall function 02CF2EEC: RtlAllocateHeap.NTDLL(00880000,00000000,00000001), ref: 02CF2F2F
                                                                              • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 02CE536F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateFolderHeapPathSpecial_malloc
                                                                              • String ID: \save.dat
                                                                              • API String ID: 4128168839-3580179773
                                                                              • Opcode ID: 0269b5137fbc7cf8e0000aff8871061078ebce2e8c6c563dab13522c9288caac
                                                                              • Instruction ID: 1c81449a063a0456dde3228550f0ab431b5a4f723e763ce0c98fed0b9873ea11
                                                                              • Opcode Fuzzy Hash: 0269b5137fbc7cf8e0000aff8871061078ebce2e8c6c563dab13522c9288caac
                                                                              • Instruction Fuzzy Hash: C21131729042847BDF21DE658CC0A5FFF67DF82654B5441A9E84967341DAA21D02D6A0
                                                                              Function 02CE3965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE396A
                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02CE39C1
                                                                                • Part of subcall function 02CE1410: std::exception::exception.LIBCMT ref: 02CE1428
                                                                                • Part of subcall function 02CEA551: __EH_prolog.LIBCMT ref: 02CEA556
                                                                                • Part of subcall function 02CEA551: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02CEA565
                                                                                • Part of subcall function 02CEA551: __CxxThrowException@8.LIBCMT ref: 02CEA584
                                                                              Strings
                                                                              • Day of month is not valid for year, xrefs: 02CE39AC
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                              • String ID: Day of month is not valid for year
                                                                              • API String ID: 1404951899-1521898139
                                                                              • Opcode ID: 35a0e602a929fd679e3baa9e60066516c529080ab2db06db4bba9decc1a0f4c8
                                                                              • Instruction ID: 2763cfb142c7ae266d285366c606f4611c914e5226591b521b52197b5176657c
                                                                              • Opcode Fuzzy Hash: 35a0e602a929fd679e3baa9e60066516c529080ab2db06db4bba9decc1a0f4c8
                                                                              • Instruction Fuzzy Hash: F601DE36810209AACF04EFA4D844AEEBB79FF14710F40801AEC0593350EB708A54EBA5
                                                                              Function 02CEB033 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • std::exception::exception.LIBCMT ref: 02CEFA4A
                                                                              • __CxxThrowException@8.LIBCMT ref: 02CEFA5F
                                                                                • Part of subcall function 02CF3A8F: _malloc.LIBCMT ref: 02CF3AA7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                              • String ID: bad allocation
                                                                              • API String ID: 4063778783-2104205924
                                                                              • Opcode ID: 1d872db433a81e01f685868e37347708edf528e9f1975564dc6db9ccf1dcf8e1
                                                                              • Instruction ID: 2b6948b63edef0fc34338adba5f157977b8d1c49dfd7cd5ea1e2a8d703d3c8c4
                                                                              • Opcode Fuzzy Hash: 1d872db433a81e01f685868e37347708edf528e9f1975564dc6db9ccf1dcf8e1
                                                                              • Instruction Fuzzy Hash: B8F027B060130D66DF14EAA89941ABF73ECFB00205B500669EE22E37C0EBB0FE04D5D4
                                                                              Function 02CE3C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE3C1B
                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 02CE3C30
                                                                                • Part of subcall function 02CF23F7: std::exception::exception.LIBCMT ref: 02CF2401
                                                                                • Part of subcall function 02CEA58A: __EH_prolog.LIBCMT ref: 02CEA58F
                                                                                • Part of subcall function 02CEA58A: __CxxThrowException@8.LIBCMT ref: 02CEA5B8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                              • String ID: bad cast
                                                                              • API String ID: 1300498068-3145022300
                                                                              • Opcode ID: 4891480a8ec1d91370fb99b0645b1df2c452531b4f7028e00549aa4104cc780a
                                                                              • Instruction ID: 8b8902ec1f67d2b305f81ea213d28d26f13f8dfa22022dc2783eef7522d1d0ca
                                                                              • Opcode Fuzzy Hash: 4891480a8ec1d91370fb99b0645b1df2c452531b4f7028e00549aa4104cc780a
                                                                              • Instruction Fuzzy Hash: 0BF0A7729005048BCB19DF54E440AEAB775FF51311F10416EEE0A5B390CB72EE4ADE91
                                                                              Function 02CE38CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE38D2
                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02CE38F1
                                                                                • Part of subcall function 02CE1410: std::exception::exception.LIBCMT ref: 02CE1428
                                                                                • Part of subcall function 02CE88BF: _memmove.LIBCMT ref: 02CE88DF
                                                                              Strings
                                                                              • Year is out of valid range: 1400..10000, xrefs: 02CE38E0
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                              • String ID: Year is out of valid range: 1400..10000
                                                                              • API String ID: 3258419250-2344417016
                                                                              • Opcode ID: e8e3b3c21953326539616fe8e3701b465cb38eb95c8a1abd2ec00ac9e62c4ff9
                                                                              • Instruction ID: 669df2c8f8ad0c6324158f31eb1fc39a8c8a5594f71c1dcd95f1577dfd210022
                                                                              • Opcode Fuzzy Hash: e8e3b3c21953326539616fe8e3701b465cb38eb95c8a1abd2ec00ac9e62c4ff9
                                                                              • Instruction Fuzzy Hash: 3CE09272E4010497EB14EB989855BDDB769EF08710F00054AD806673D0DAB11D44DB95
                                                                              Function 02CE3881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE3886
                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02CE38A5
                                                                                • Part of subcall function 02CE1410: std::exception::exception.LIBCMT ref: 02CE1428
                                                                                • Part of subcall function 02CE88BF: _memmove.LIBCMT ref: 02CE88DF
                                                                              Strings
                                                                              • Day of month value is out of range 1..31, xrefs: 02CE3894
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                              • String ID: Day of month value is out of range 1..31
                                                                              • API String ID: 3258419250-1361117730
                                                                              • Opcode ID: 51b251f186b8b72c10a093fedb8dba163447a949aa7c29f8344bd444e0f2228d
                                                                              • Instruction ID: 4607c2eb1005f5bbb0aa98f1a58577f1d5d6a3bf89b6a81eea5a6195c2935863
                                                                              • Opcode Fuzzy Hash: 51b251f186b8b72c10a093fedb8dba163447a949aa7c29f8344bd444e0f2228d
                                                                              • Instruction Fuzzy Hash: 3FE09272A0010497EB14EB949851BDDB769EF08B10F40015AD806633D0DAB11D449B95
                                                                              Function 02CE3919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE391E
                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02CE393D
                                                                                • Part of subcall function 02CE1410: std::exception::exception.LIBCMT ref: 02CE1428
                                                                                • Part of subcall function 02CE88BF: _memmove.LIBCMT ref: 02CE88DF
                                                                              Strings
                                                                              • Month number is out of range 1..12, xrefs: 02CE392C
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                              • String ID: Month number is out of range 1..12
                                                                              • API String ID: 3258419250-4198407886
                                                                              • Opcode ID: 4f4cff3931f99f11c073ce45fc907fc364ab4a2ad896bf68a0f52154242ebf77
                                                                              • Instruction ID: 6a49ea28bbb6603fae661aebca3ca943c41efacccc5a29520187abeec22cf555
                                                                              • Opcode Fuzzy Hash: 4f4cff3931f99f11c073ce45fc907fc364ab4a2ad896bf68a0f52154242ebf77
                                                                              • Instruction Fuzzy Hash: 75E09272E0020897EB18FB989891BDDB769EF08710F40014AD806633D0DAF12D449B91
                                                                              Function 02CE19C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • TlsAlloc.KERNEL32 ref: 02CE19CC
                                                                              • GetLastError.KERNEL32 ref: 02CE19D9
                                                                                • Part of subcall function 02CE1712: __EH_prolog.LIBCMT ref: 02CE1717
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocErrorH_prologLast
                                                                              • String ID: tss
                                                                              • API String ID: 249634027-1638339373
                                                                              • Opcode ID: 48ae641757afa71e009fc3049bd83a852384b615988c6ab87aca50b6d4750ef5
                                                                              • Instruction ID: 25497f40c1adf7c8e550e534bb11865124313dbadbaa23c6858adb94cab7ad95
                                                                              • Opcode Fuzzy Hash: 48ae641757afa71e009fc3049bd83a852384b615988c6ab87aca50b6d4750ef5
                                                                              • Instruction Fuzzy Hash: 7DE08632D042105BC7007B78DC4959BBBA49A44230F148B66EDBE873E4EB705D209BD6
                                                                              Function 02CE3BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02CE3BD8
                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 02CE3BED
                                                                                • Part of subcall function 02CF23F7: std::exception::exception.LIBCMT ref: 02CF2401
                                                                                • Part of subcall function 02CEA58A: __EH_prolog.LIBCMT ref: 02CEA58F
                                                                                • Part of subcall function 02CEA58A: __CxxThrowException@8.LIBCMT ref: 02CEA5B8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3721030776.0000000002CE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_2ce1000_jennyvideoconverter.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                              • String ID: bad cast
                                                                              • API String ID: 1300498068-3145022300
                                                                              • Opcode ID: 839ae7fac4dd93b2a1e5f4c3792248496e6022e0d8507135d567566da420ca5f
                                                                              • Instruction ID: 9236d4cc17a6c54b2fd4b99a91be83aadc1f43fdb76adc3226e2f4bfc2463f54
                                                                              • Opcode Fuzzy Hash: 839ae7fac4dd93b2a1e5f4c3792248496e6022e0d8507135d567566da420ca5f
                                                                              • Instruction Fuzzy Hash: D1E01A719001089BCB18EF94E991BB8B775EB54300F4080ADDE0A573E0CB35AE5ADE96
                                                                              Function 0040446C Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 00404494
                                                                              • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 004044C8
                                                                              • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 004044E2
                                                                              • HeapFree.KERNEL32(00000000,?,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 004044F9
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3712520206.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3712520206.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_jennyvideoconverter.jbxd
                                                                              Similarity
                                                                              • API ID: AllocHeap$FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 3499195154-0
                                                                              • Opcode ID: 03264f3b7f6a3c24648121467edc173d78a87d9b85cb2d8b679f40e74ce8d20c
                                                                              • Instruction ID: 6532d2b8740b88ca5c68c93f46193dcc45771cdeba7f909f778517217a69801f
                                                                              • Opcode Fuzzy Hash: 03264f3b7f6a3c24648121467edc173d78a87d9b85cb2d8b679f40e74ce8d20c
                                                                              • Instruction Fuzzy Hash: 02113670200301AFC731CF29EE45A627BB5FB847207104A3AF252E65F0D775A866EF19